23542300x800000000000000010960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:06.674{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA598E6D3CB2BA3118606ECF6F8AB369,SHA256=4DB9A96D27F860412E48E160308539CC2A0A44572EFBF98550D40FA841C6C89A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:06.650{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D78F84DF37163463496D6203605290CF,SHA256=21BC0312DBB90A74E429D37E9B9993E533C9E7124F7CB3C921C8BE00F0B0D550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:06.403{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\respondent-20230116112145-013MD5=B18DB66107F9A3DB58AE009D35CE0A39,SHA256=9B023875329D6D96D1D2E2C61D5FC66BDE525A94E7FC76E10487647BF6E62E63,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:02.473{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49854-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000010962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:07.745{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD751191CABDD3407CF5B0DE78A2D58,SHA256=3E7D6295A9B80EF67E3CC1EF9EADF450C477768190B178E474653AB7FE1326BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:07.735{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD8B6BF841D2CBC31278AD8EF26933A6,SHA256=8358BF7BEB779ADF5973C1F77A226715AD43735D27D5C39EEDDE0A567E59A45E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:07.404{312A7A06-3346-63C5-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0830f89444a367d30\channels\health\surveyor-20230116112142-014MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:08.834{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60BCB8F538C8E49A57C67F913A021FEF,SHA256=8176E980050CB1769E63537B8D164B62CBA1806918B62059783398F5DACCD17D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:08.821{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07921783420B046AF4AA0CC26682D8A,SHA256=EF5B1E4D4EE4273D669C536166553031D0FA1940741F1D94CEB3E02E7ABB1BC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.995{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.985{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.973{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.961{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.949{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.921{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.916{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.908{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.902{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000010967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.899{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E7BBB4E3E8B35F275E0027235D9BCA,SHA256=E08306852D69DBE4492C29A52C79B780E3FE8A26DCC1E497914A9DD49713D63A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000010966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.891{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.885{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:09.883{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.101{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-35A8-63C5-3501-00000000B002}2596C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.099{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.095{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.094{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.089{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.086{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.085{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.083{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.082{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.078{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.076{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2B00-00000000B002}2776C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.075{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.073{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.070{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.062{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.059{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.050{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.037{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.013{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000010977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:10.009{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 354300x800000000000000027242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:07.515{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59193-false10.0.1.12-8000- 23542300x800000000000000027241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:10.037{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD19015C3464E05BB71A6A0BAB4F8BD,SHA256=1B0E21A1043E0BB6F8C3FBE5B942484546FA6959D72A3E6E5D562BEF24A1581B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:11.472{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BAE1D5553E0353BC89274D7159C9C1,SHA256=B378FEC3F412A17DB4854885F031EFA5A6E647D63E89A0C46AD0287118D5ABA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000010997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:07.653{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49855-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:11.139{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA93EC0752AE194B464DBB72C66F709F,SHA256=339FEC1D61EC2443DA9AB0623504171E058B5372ED337571ECBA2C0BF9A0CAFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000010999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:12.284{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8BE42A538ECAAE177CBB1A4AD1E8528,SHA256=DF41EBCFCF6E2791F623398608266B91347384E5B6BA60D1C58585EF241E47CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:12.239{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B009864C6CDA4407095B8A9D89E66FBE,SHA256=9D5B7388EA19AEDDD5298A3952CFA9955904319B30E9626B242385333D6FE4E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:10.227{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59194-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:10.227{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local59194-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-221.attackrange.local389ldap 23542300x800000000000000027245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:13.341{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF6BF258A8C99438B880D86E7DE80D03,SHA256=EDC6A65D4FD71C278B4D3D8EDFBF6DA154B76434032DC668A392CF6CD975B6D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:13.361{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=080C67A900B181E3CB9D644070D44CAF,SHA256=AF436FD8720457032D427EBED7E7787DB5FCE23AD8F497B6D0B33C3772F87E2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:14.436{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C178A6CD1D6611B680C56A55EE892A1,SHA256=F1A7C259FDD5A4E9DE9C2D4A06632B7F2CB3B87D19056753E6E2FAA05C267BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:14.433{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78EA6908E0013E792CFAD6793A9D75E6,SHA256=88B78C66449DDC71F787DA2BB23EFF764CA20546A314B6264D4E3A2928B3F8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:15.521{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=030BDB1639C1DD54B77CD2694FEC118E,SHA256=24B06F874BD3A2EBC4F7F15423171DC847BD4C92DB48115B5D19B9CE18BDDDF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:15.537{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F6C8ED164A1CD7D07E0A5245CF5DC38,SHA256=D483E517B8825CC2A7590592ADC046A6AE0ED17EB70E506E513D1E5469C2CDE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:13.599{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49856-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:16.607{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D4F1B4B546A50114A4ECC6968401DD0,SHA256=BFA17A3AFF874BC5C971D7E0508F99FC8F48A5B1D496CEC362ADAED8BAB2E296,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:13.513{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59195-false10.0.1.12-8000- 23542300x800000000000000027250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:16.635{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDA7CCA5E19BFDD98323E75E9A0C1BCB,SHA256=45336F7D0E3887924F15BFD059D0DAF59C322FC39CF018008382EBE416F50FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:17.698{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9EB4E4046B465974AE2CEC1549F771,SHA256=FA55F0DDD57A67268FC072BD4611D8AE77DB9A54D14676C29FC4E176556A5DC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:17.736{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EECA121B3A0712B1F3D9A15466FDBFC,SHA256=B0F45C3E717D06CB5C879BB7C28D92D5DC2879A5278E8D9E5EF18FC20117B010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:18.772{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D626B4F806F0895A168A7778CAEF90,SHA256=31E0CA0A1063B4805D9F808F8FDEE80C131E91C75AABC1C1BEE6BE7ED5EF42C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:18.838{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50C1C67757B2F81089209F003BDBD915,SHA256=0BCA09C9FA2F24E00970E972A94B8C1BC003BC455BEBB7F028F653E9CA9FC56B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:18.662{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:19.932{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113CF1F30B8BB42FAE13B1120D8E8729,SHA256=8ABF5E73F7E434B72637CF961EFC811A01F02F65B5DC847D3ADE38B3FDD4318E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:19.862{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=199A7D63B4007C8072DB3E465B3B37CB,SHA256=95A81855CEB1AB7C857F9833F46AF5E7031F9A7A33B61F34A898AED34821FA97,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:17.060{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49857-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000011009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:20.924{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3330A62D703ADA0D76F591F18C34830,SHA256=B55C384A7F67F553D990F33A022D2B3F32994ED41671135CDFD75DCF6603DEA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:21.997{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB9F4F141AC182F11B359F5428FAF95,SHA256=8D9EBF40BA5C5DD1D5EB8040E626962CEF243641D0A86C42E9A3483A9865C779,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:18.671{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59196-false10.0.1.12-8000- 23542300x800000000000000027255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:21.024{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E43E5AB93EE36551E3C52E76D1D9394B,SHA256=554330E8832A08D6F5FD7C390FDFF4D960C970E095C7E42E9068537FA673AC90,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:19.556{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49858-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000027278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.613{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.608{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.284{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.274{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.268{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.265{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.262{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.261{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.233{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.221{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.212{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.206{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.200{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.171{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.163{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.153{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.147{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.138{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.131{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 23542300x800000000000000027259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.116{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01F3C23CBE103582EF22F1F7DCC1DA32,SHA256=8C411FC6844DAF7EAB25CA78ABAD70B6B2E291EC8C8441BF9857463FB3FF9784,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.100{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.096{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.799{FCCA13C7-30EC-63C5-0B00-00000000AF02}628808C:\Windows\system32\lsass.exe{FCCA13C7-30EA-63C5-0100-00000000AF02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000027287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.545{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36B7-63C5-4705-00000000AF02}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.545{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.545{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.545{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.545{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.545{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-36B7-63C5-4705-00000000AF02}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.545{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36B7-63C5-4705-00000000AF02}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.546{FCCA13C7-36B7-63C5-4705-00000000AF02}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:23.170{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D4A8F9DD589A76A4076053CACE9806C,SHA256=31B359E13BF0104D1CC58AE1D9889DF0F0776819A40830988C97AAC2BAAA2683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:23.063{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BDE1984348974E8C25AD58309391580,SHA256=E2B7D1564B087A5F878D39BAC07F973F088F76C179870E9320DE3D57852B8EB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:24.143{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7BBDD2482163C87F48EF6EE4D429157,SHA256=5D97332990E5804C02BBAFEAD6936014CD6D295579D6EF9DD3A3E14BD854DD95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.899{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36B8-63C5-4905-00000000AF02}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.899{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C0A541BFEE90E6264195A4A86A1831E,SHA256=3A0F3F710CDA9661ECFE8B571F3B43973110FF84320B192CDCDACE35659E68CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.897{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.897{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.897{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.897{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.896{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-36B8-63C5-4905-00000000AF02}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.896{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36B8-63C5-4905-00000000AF02}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.896{FCCA13C7-36B8-63C5-4905-00000000AF02}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.644{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.643{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.640{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.638{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.637{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.631{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.394{FCCA13C7-36B8-63C5-4805-00000000AF02}51363960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.269{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF999587433A7F62CED2F4BCEF70EEBA,SHA256=6A8413B9EBDDA6438F273A9F5A4A59EC6275100F4102C8C67C29FA48F37ACDE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.238{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4A0DCCDC43B45579D88DBCCAC61C7299,SHA256=039AE728C2E391E122F0AF3C2BA209D0066F13949D7FB4FC654B875E788333AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.223{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36B8-63C5-4805-00000000AF02}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.223{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.223{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.223{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.223{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.223{FCCA13C7-30EB-63C5-0500-00000000AF02}412428C:\Windows\system32\csrss.exe{FCCA13C7-36B8-63C5-4805-00000000AF02}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.223{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36B8-63C5-4805-00000000AF02}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.223{FCCA13C7-36B8-63C5-4805-00000000AF02}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.098{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8E4DAFD274512A485C5991DDE4DC1613,SHA256=CE310C0AF470CA36B96BC3416EAD95C6DB3DA4D7B04BA9793FE1D55D355D7C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:25.235{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591E0DBA04B3A20C6B13E7A018FEB68F,SHA256=AE32E8E626203A1BCF2B2496B9D990517D77BE240034E8FDE739F81F8A22EF42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.745{FCCA13C7-36B9-63C5-4A05-00000000AF02}61767104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.563{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36B9-63C5-4A05-00000000AF02}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.560{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.560{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.559{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.559{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.559{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-36B9-63C5-4A05-00000000AF02}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.559{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36B9-63C5-4A05-00000000AF02}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.558{FCCA13C7-36B9-63C5-4A05-00000000AF02}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.292{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C409D893FCB84973F14E3A144690CB,SHA256=1665BE9022AA900AD0EEC1387DF18376263041A413BA1CEB30671115B94939C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.246{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.237{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.223{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.220{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.196{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.189{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.176{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.171{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.170{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.167{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.165{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.164{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.161{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.159{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.158{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.157{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.156{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:25.154{FCCA13C7-3392-63C5-AF01-00000000AF02}33766808C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018C88F10) 10341000x800000000000000027355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.553{FCCA13C7-36BA-63C5-4B05-00000000AF02}65006804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.350{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C62F49F0231036B892D9D62D5F09E7,SHA256=A08B56FAB220EB5C03EDD210A385474D4B9D089091E0752F8E6BDD47E959395A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.350{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36BA-63C5-4B05-00000000AF02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.350{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.350{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.350{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.350{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.350{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-36BA-63C5-4B05-00000000AF02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.350{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36BA-63C5-4B05-00000000AF02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:26.351{FCCA13C7-36BA-63C5-4B05-00000000AF02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:26.327{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE43497A38BAB31067DEF2F111CAC3F,SHA256=A7796E935F24D5246B57EE767ED3041DBEC1054481F040F9F9C692DBE732B2A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.277{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59197-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local445microsoft-ds 354300x800000000000000027344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:22.277{FCCA13C7-30EA-63C5-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59197-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local445microsoft-ds 23542300x800000000000000027365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.440{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=355392B77B42D12BD4C8D863A5A0AC3E,SHA256=1FF0EA0EB90843B200F5BF5C57631EA9EF9E2981432731F0D2A2133317300EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:27.417{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CABD241F934A1CCF64E08833A8C9B3B,SHA256=515EE87147CF1ED078ACF3348AC2B38107A2325A2C17377915502CA72E6624C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.216{FCCA13C7-36BB-63C5-4C05-00000000AF02}66126952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.022{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36BB-63C5-4C05-00000000AF02}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.022{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.022{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.022{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.022{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.022{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-36BB-63C5-4C05-00000000AF02}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.022{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36BB-63C5-4C05-00000000AF02}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:27.023{FCCA13C7-36BB-63C5-4C05-00000000AF02}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:28.531{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBADE6D73021DB8F91B8EAC5DF41C8D7,SHA256=A5181142231935F15E2D73D7EB938F8B8BEE2A75FD252B4DAE872F5CB1F88937,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:25.515{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49859-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:28.500{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020A433416B7BDC39D249DD8AA665657,SHA256=287935AEDE81F60B1520C33C2C1A8F0E255A485CD7B858855B41511811355C40,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:24.509{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59198-false10.0.1.12-8000- 23542300x800000000000000011018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:28.219{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3C68F3B941A6C8ACCD2714F132736C3B,SHA256=B9FF410D0DA9E7BDD30AC4543482B2EC31A07D9A5134446F158C67F4411BAD8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.602{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F176912BF88555C682B282FEEB2BB22,SHA256=A632A3F7201F030695EE54C96F9067C11943857D714155AE93FAFD21018CED59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.993{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.984{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.973{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.963{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.933{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.928{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.920{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.913{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.898{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.889{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.886{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 23542300x800000000000000011021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:29.576{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606C332CB57568B972260836DAC321F8,SHA256=AC219E389206FDF414D6E88407B3ED7A16359938F9F98F04908E89B95F90B830,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.050{FCCA13C7-3185-63C5-BC00-00000000AF02}46764596C:\Windows\system32\conhost.exe{FCCA13C7-36BD-63C5-4D05-00000000AF02}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.050{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.050{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.050{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.050{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.050{FCCA13C7-30EB-63C5-0500-00000000AF02}412528C:\Windows\system32\csrss.exe{FCCA13C7-36BD-63C5-4D05-00000000AF02}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.050{FCCA13C7-3184-63C5-B800-00000000AF02}39444448C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FCCA13C7-36BD-63C5-4D05-00000000AF02}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.049{FCCA13C7-36BD-63C5-4D05-00000000AF02}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FCCA13C7-30EC-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.696{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CFF3FC6A7D8FFD853F2502EC5AA8BF9,SHA256=331F7628DDF33CCF7C0465D1FCAFF58B0B0A1B8573883DCEADDA8327873E98A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:30.702{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294293942F28EC5C6E74FE634A47408E,SHA256=EF8BF955DA5EB3C47F69452D4DD0F3E323A203D24170201F4CE30B6D0A490186,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.089{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-35A8-63C5-3501-00000000B002}2596C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.087{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.085{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.084{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.080{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.077{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.076{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.075{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.075{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.071{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.068{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2B00-00000000B002}2776C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.067{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.065{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.062{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.056{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.052{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.042{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.032{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.015{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.012{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 10341000x800000000000000011033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:30.003{312A7A06-3346-63C5-1D00-00000000B002}19962592C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439390) 23542300x800000000000000011055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:31.974{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E7D1143858CD1DD89D4E03A9456C92,SHA256=3E1A596077838CB3939ACAB46891B98CA4C3DA7047D68DC561BA68E06B2E44C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:31.789{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=805B28CDFD14AB51662ACC718597C9E9,SHA256=FE4CD20BE555825D6FE733BE0DEB800FE5589B3DC6402CE6C12AB4616A294ABC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:32.917{FCCA13C7-3386-63C5-9501-00000000AF02}28963900C:\Windows\system32\taskhostw.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:32.855{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D74F486E4123CE07DF933DC832C953,SHA256=6E6BA8C61189042F3EA99EDB849152F9AA2A924668BF72DE04F5A2FC9CEAB6B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:33.960{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB92A6A9A615EF8C477DF5F1B7AEFF0,SHA256=7772B223B3C8CC6AA3F9A8AB5D8D97BB3C110BE9B8B17F5C353B1CAFF5E47170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:33.037{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F0AF82F2B86D26A587CF0CAC09F895,SHA256=C2A20F5896E16ED1150E0CDFB760B66A5EC99B594EE2347688463D8B7B253878,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:29.539{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59199-false10.0.1.12-8000- 23542300x800000000000000027383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:34.809{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\respondent-20230116111158-023MD5=3A7897B317CA03B79FE07533175F9643,SHA256=F76FF17815B8F96571634A983322FD544389A7130FC207258DDFB92658757A4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:31.431{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49860-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:34.124{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1055D72E73157002C9F5DFAD12AE3E1,SHA256=A6041DA89FFDEF3CC112A08E9B963C9F170E4A41877A56242DAFCCB138C1DA16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:35.926{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:35.926{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:35.926{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:35.926{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:35.936{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176C:\Windows\System32\mmc.exe10.0.14393.4169 (rs1_release.210107-1130)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\gpedit.msc" C:\Users\Administrator\ATTACKRANGE\Administrator{FCCA13C7-3385-63C5-B3E7-140000000000}0x14e7b32HighMD5=495BFF5AE1B52661212BB65F1CFDA718,SHA256=A08EC9D2F811726BDCD71F7C5B40CDB543D092C11811A45180E569FE3F62124D,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9F{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 23542300x800000000000000027385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:35.816{FCCA13C7-30FB-63C5-2700-00000000AF02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05e5fd78e9b21f966\channels\health\surveyor-20230116111156-024MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:35.078{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D6E6E4FB82C3C4AB177D7A8C667A94,SHA256=0C1B908216E31BE7F429920A102787D94926C97E39804CBF0BE8DFBFE548F132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:35.192{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B238AA1BB222869C7B1FC8163B4F7EDB,SHA256=F9A5201F9ADD06C13801861EA734CA577B364A04005D529FF4BE0E4607FB1C2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:36.840{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\6BJ8DAHX\views[1]MD5=A726593A8261930E4786375106FC6BFE,SHA256=E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:36.840{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\DG3B2HYU\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:36.280{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269A0B85F39EF9C3CB0C7B97CF5233B3,SHA256=02784D6021634AD9FFB30C2A3F6CA515DE88F6DEF8B0C01891CF843B81EBDFC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:36.280{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CFB0C7CB8EE097804C12F63AF51D5E,SHA256=54A54E342EC01887F037E61F13AE92A2504A52AD85EF4364A17AB14C7287F756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:37.376{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35B0F041A005BBAE18356AF3A9F7ECF2,SHA256=45D8A52B53C8714CB5A26DB74ACE0BC9E53D55505F9317FF68F3987B0BF285E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:37.377{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C80E9ADDCFA53E901C8B4229A7DC10F,SHA256=7E446E26D35BE4C86320D1B4FB764FFFDCB6BF69D533BDFC9C7579846ED0D121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:37.362{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\6BJ8DAHX\views[1]MD5=BEE1758A485085BB8A121EB74BA7E96F,SHA256=EDCAD5B1CE8A304B70B8C9EA57D4AEAB740D979FFA59243B943011CB1BA4D57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:37.362{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\DG3B2HYU\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:37.346{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\DG3B2HYU\views[1]MD5=A726593A8261930E4786375106FC6BFE,SHA256=E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:37.346{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\VFQMRO7Q\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:37.331{FCCA13C7-3386-63C5-9501-00000000AF02}2896ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\VFQMRO7Q\views[1]MD5=BEE1758A485085BB8A121EB74BA7E96F,SHA256=EDCAD5B1CE8A304B70B8C9EA57D4AEAB740D979FFA59243B943011CB1BA4D57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:37.331{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\6BJ8DAHX\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:38.434{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BE5237A226D0DB7816D64FED318CB3,SHA256=0D7122F68165E76B559F255F289692DE4C2244DC15A8EC003C19739BAD0E791E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:38.350{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EFBA9F2E3405BC17012639C0B0804CC,SHA256=47CD27745CEFEE1A15A02E54F98B0742E1BEE01631F1390F9770E6AD02D95CF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:34.647{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59200-false10.0.1.12-8000- 23542300x800000000000000027401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:38.209{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=305CC5275EBC68A9F1AF8FE344588D0E,SHA256=95A62A74E3F1139DA2C858ADD1C39B94CE9488BBA7876AB750F07BB38A274639,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:36.623{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49861-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:39.515{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B186A1FAEC1CAC22C29B05BE90A9EB,SHA256=1A7FEEB794142EC63E7C7890308ECB85185CECC951000AF42624A9098D1A3481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:39.453{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE946EB83C6F2E02097AF5D6C3A737B,SHA256=5EE536F23A8E4014B47E1C57ECEAAE2B791E30C00648E45BAC112EE4C3A392CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:40.594{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415C56EC7981C6F4326A842D927D316C,SHA256=906A495FCA5A5190A3D78B6A97FB8DAFE534A05602FEA31AB1E6D88DB4EC6115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:40.541{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA1C2178EE8475E25DFD2DCB9330797,SHA256=AEB5BD2AF2AD394CB048FC02ADB0A71B48600D074EB826FDBBF06C277E477896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:41.674{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D535E8D6528F5C70D4611E1FA9D8747,SHA256=77C0E47A5460DAF54925ECC3E3680EC924FD40724732E047EEFDD2935A716B51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:41.636{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10AD7EA69DAAD9D62C906A74DEBC6E7D,SHA256=829620ABDBFD2EB5C01B06C06FD02F6769B97B5B8857D93561E7AA81E048876E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:42.756{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226FDF575B96030DC7FE4CD92D0B6A13,SHA256=2D72C7169360303C2736A63F278280D4203E183C8A58451839DE08B9CDAB56B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.687{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C5A35E7300317B8104068528154BAD2,SHA256=467BD280708547A80A7622F617CA2EC98F239F829378E4815AA6B4EDF97DC9A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.566{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.561{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.268{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.259{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.253{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.251{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.249{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.248{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.221{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.216{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.204{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.198{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.193{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.169{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.160{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.152{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.146{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.138{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.131{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.099{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:42.096{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000011069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:43.829{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68075B2BD7FF8DD98E7AD374AB04F10,SHA256=BB53D4AE2B47C62155A620D52F2D418662DB6B79AE39B15298C6C9095AA7A85F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:43.869{FCCA13C7-30ED-63C5-1100-00000000AF02}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=76C883637A4F73671B74E9F16481A76B,SHA256=526728C2339DCE67E2FC84D37CEC1733E1AEF6E1BD9A40CB906F6E8D3D5DA7B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:43.790{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC063771E9FA56B86DD966BCACEF173,SHA256=4C47EC2F37A22E8802F6D8C3A6FB3F9549C795E54F0E1CA14257E73F0FA4EC73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:43.688{312A7A06-3345-63C5-1200-00000000B002}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=981973F796C6C0EB2EB7DE03C239E69A,SHA256=D218F57F6076EF372ABB20F71F9EDEEB9C2CB1AA8745480613534EF565F06233,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:40.656{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59201-false10.0.1.12-8000- 23542300x800000000000000027438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:44.888{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0450475B4817D270C66A0FBF5FE3397E,SHA256=4A67CFCAB38E892BEBF3D701C99081EABC5D9ED2D5215D9FA6BD32E4734DAC46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:44.612{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:44.611{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:44.607{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:44.605{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:44.604{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:44.598{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000027497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.990{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=032575611C574A00090B93FB195001C4,SHA256=43FC5120229768AEBF4DFDC87372E7C9CEDAE4F2243FB19D354B46A9321522D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:42.610{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49862-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:45.018{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41D91C62268400229195897F04041751,SHA256=93BD699F54FD8D2426E522A7702E1E0D50D13EEFE38D473F87A434C69E7FDFFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.624{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E0353BD86E4B24634A3F86DAA3CC74,SHA256=A800FAC9C664231834DDCF9862904C33B784630C1A04D81C5C64C4AE24B1F55E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.514{FCCA13C7-30ED-63C5-0D00-00000000AF02}908928C:\Windows\system32\svchost.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.208{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3500-63C5-1205-00000000AF02}6688C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.200{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3392-63C5-B001-00000000AF02}5676C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.186{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3391-63C5-AD01-00000000AF02}3168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.183{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9F01-00000000AF02}4908C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.161{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.154{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3386-63C5-9301-00000000AF02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.140{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3385-63C5-9001-00000000AF02}4592C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.135{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3384-63C5-8B01-00000000AF02}3272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.134{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3383-63C5-8801-00000000AF02}3816C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.131{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3193-63C5-0401-00000000AF02}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.128{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.127{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3185-63C5-BC00-00000000AF02}4676C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.124{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.121{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3176-63C5-9A00-00000000AF02}5068C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.120{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7500-00000000AF02}3212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.120{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-3115-63C5-7400-00000000AF02}3848C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.119{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FE-63C5-3E00-00000000AF02}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 10341000x800000000000000027439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:45.117{FCCA13C7-3392-63C5-AF01-00000000AF02}33766124C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839390) 23542300x800000000000000011072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:46.098{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C274BE59A5ECF0AF20E81416FA29BA46,SHA256=43B8D83B2AF9E9C49124AA7B30B1D8E927738C5E8205391FD3E0CB49017483A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:47.183{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACF0AC70EBA985FC645780DEF68DDE58,SHA256=F03551B9C4905DC4332D85342FE7D5710BA60B220422D48E29B6313BDEC505CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:47.074{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300F63791DF67041CCBAC3958BF948DB,SHA256=D95012A68091926D31C1C76667C4EF1A7D5C06A8BCF591DAF24EBF3BE211F117,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:45.110{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49863-false169.254.169.254instance-data.us-east-2.compute.internal80http 23542300x800000000000000011074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:48.254{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D7CA76EBCEF2474C9F2409755496F9,SHA256=D94749D269670C1DA4DD39B3FE34B9B59817F5742031E001B98E63B5E9EC8FFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:48.179{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-ctus-attack-range-221.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000027500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:48.148{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176C:\Windows\System32\mmc.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x800000000000000027499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:48.163{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3807A410C3B5B46645E3EFCA0CF722F,SHA256=2CA56162B36818D371CBF9B844041ED8F0B5852055F2C864CDD8200AB3AEC2B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.998{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1300-00000000B002}292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.992{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1200-00000000B002}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.983{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1100-00000000B002}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.952{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.946{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0F00-00000000B002}928C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.941{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0E00-00000000B002}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.934{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0D00-00000000B002}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.920{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.913{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.911{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0900-00000000B002}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 23542300x800000000000000011076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:49.329{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB7815C63073CF0A823275ED1B68A7B1,SHA256=D7FF2E1BA16A70A727340E8E2F4DD48214FC840C48CDF6B5F56E25D60A6A0126,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:46.617{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59203-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:46.617{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176C:\Windows\System32\mmc.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59203-false10.0.1.14win-dc-ctus-attack-range-221.attackrange.local389ldap 354300x800000000000000027503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:46.546{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59202-false10.0.1.12-8000- 23542300x800000000000000027502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:49.262{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B7519E7CB4CAE7E9C17D1135D48D9B,SHA256=DEF06AD7ABD72605D69054E9A646EDC6C2F7D14AD6F05174CCC6CE02D73F15FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.878{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC86BFC8A6B781052C6028FEBE438BF,SHA256=25584B222AAF0A94B27186903F36199868F52B3A0C0ADBA341DA99984B65A859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:50.352{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3754AC6694515AA787DEDC1BAD20D711,SHA256=BEAE5781B4920FA4F6BEB9124A8269BC85DCC76E494651C6054C33541F02A0BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.086{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-35A8-63C5-3501-00000000B002}2596C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.083{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33CF-63C5-EB00-00000000B002}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.081{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.080{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-A300-00000000B002}640C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.077{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.075{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-33C0-63C5-9700-00000000B002}3272C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.075{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5B00-00000000B002}3828C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.074{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-334C-63C5-5A00-00000000B002}3816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.073{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3349-63C5-3A00-00000000B002}2796C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.071{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3348-63C5-3800-00000000B002}2856C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.069{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2B00-00000000B002}2776C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.068{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2800-00000000B002}2708C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.065{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-2000-00000000B002}2240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.063{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1F00-00000000B002}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.058{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1C00-00000000B002}1952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.055{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.050{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.044{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1800-00000000B002}1808C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.029{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1700-00000000B002}1260C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.025{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1600-00000000B002}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.011{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 10341000x800000000000000011087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:50.003{312A7A06-3346-63C5-1D00-00000000B002}19962200C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3346-63C5-1500-00000000B002}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438F10) 22542200x800000000000000027506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:46.634{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176win-dc-ctus-attack-range-221.attackrange.local0fe80::5d46:b69e:195c:9972;::ffff:10.0.1.14;C:\Windows\System32\mmc.exe 23542300x800000000000000011111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:51.987{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0221D6B8F02C4A3C7C81C7C210D04198,SHA256=138295E1A1BE546553168BC0998E76F936F72B71CDEA64DAF06B8D5D9E368F1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:48.564{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49864-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:51.450{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26445F231BFB919210791C19BE613461,SHA256=1DEEB6ECC91F8E623189DF6BF2DA2BCCBC0E02A32403AFC3FF4623214AC72905,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.944{312A7A06-3345-63C5-0B00-00000000B002}628668C:\Windows\system32\lsass.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.944{312A7A06-3345-63C5-0B00-00000000B002}628668C:\Windows\system32\lsass.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:52.533{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63EA27A2959274146589FDAD6B01936C,SHA256=B113D6FDC335AF913561D718BBDA4EBA29F6CA33399A7D13AC41C82F0260DBC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.928{312A7A06-3345-63C5-1000-00000000B002}9442624C:\Windows\system32\svchost.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b910|C:\Windows\system32\wbem\wbemcore.dll+255ef|C:\Windows\system32\wbem\wbemcore.dll+24a8a|C:\Windows\system32\wbem\wbemcore.dll+2484e|C:\Windows\system32\wbem\wbemcore.dll+2684b|C:\Windows\system32\wbem\wbemcore.dll+22b68|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.913{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.890{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.890{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.890{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.890{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3345-63C5-0B00-00000000B002}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.890{312A7A06-3345-63C5-0B00-00000000B002}628668C:\Windows\system32\lsass.exe{312A7A06-3345-63C5-1000-00000000B002}944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:52.875{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1D00-00000000B002}1996C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.977{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D5D81DB9EAB2AC1F9FF9CB9557F2E16,SHA256=E271B6A18D245981FFB5C06BB0CD5C5875DA8DC69518EEC543A87D3A55E27E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:53.633{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68ED4FF0CF6DAE8DDA0C01B378B3ADE8,SHA256=546971CEF1977A1AC26D1B591FEA14B9D890FC3039ABAA78A59E1AB2C576D458,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000011141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-SetValue2023-01-16 11:36:53.618{312A7A06-3346-63C5-1400-00000000B002}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d9299e-0xd4d11968) 23542300x800000000000000011140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.274{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0AE4FBBF1E79C8BC98CA3AE091949C5B,SHA256=F9B1155061621DB7A8BF0D06260844F44BFB4CCD37A4932A67F9516A63AA5F40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.185{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.185{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.185{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.184{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.184{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.184{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.182{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.182{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.182{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.181{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.181{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.180{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2B00-00000000B002}2776C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.179{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2B00-00000000B002}2776C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.179{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.179{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3345-63C5-0C00-00000000B002}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.178{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2B00-00000000B002}2776C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.178{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-3347-63C5-2B00-00000000B002}2776C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 23542300x800000000000000011122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:53.051{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE4E9BF10352ED6BBE1255DF59ECE89,SHA256=D3E40036433B6FFFFE212CEBDE7A1AAD974DEFA7A69B3D612272241AB46C4BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:54.734{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7711CF7A3A85AE0EFF425BE82D717A63,SHA256=E96DCE7ED36C6D5875FA48125E2CEA43E2990E1358746A5CFCA31BC95E06F8E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:51.608{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59204-false10.0.1.12-8000- 23542300x800000000000000011143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:54.032{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD740E1ADB341FAAD0BD577B16D83CED,SHA256=4A044DBFD835FBE0AB56BD7B960079C74527CDDA6A9F32821D42120A762206AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:54.248{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=371F2F63D2075915472698B87D85F4D0,SHA256=6B1754D63F1638870CB14D7480C163A29C529B02BA4F2CBBF1BDEC4DAE1F7297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.836{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4D4A317D43EEF84995FE1EFF819D154,SHA256=AE5824A97405B5F24A3154571A12C4730FA6071E619D00FFAAE81FD8C8AF5E55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:55.104{312A7A06-3346-63C5-1D00-00000000B002}19962540C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439150) 10341000x800000000000000011146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:55.104{312A7A06-3346-63C5-1D00-00000000B002}19962540C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439150) 10341000x800000000000000011145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:55.104{312A7A06-3346-63C5-1D00-00000000B002}19962540C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D4-63C5-7A01-00000000B002}4052C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012439150) 23542300x800000000000000011144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:55.016{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=446E04CFC8B5346DCF72FA55196AF430,SHA256=5658B4992C64E43E0858CCD89F147441937CDF306597A5780647FFFE190C2514,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43eec|C:\Windows\System32\ieframe.dll+43d94|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1|C:\Windows\System32\mshtml.dll+112438|C:\Windows\System32\mshtml.dll+113bbc|C:\Windows\System32\mshtml.dll+113517 10341000x800000000000000027527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43eec|C:\Windows\System32\ieframe.dll+43d94|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1|C:\Windows\System32\mshtml.dll+112438|C:\Windows\System32\mshtml.dll+113bbc|C:\Windows\System32\mshtml.dll+113517 10341000x800000000000000027526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43eec|C:\Windows\System32\ieframe.dll+43d94|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8 10341000x800000000000000027525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43eec|C:\Windows\System32\ieframe.dll+43d94|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1 10341000x800000000000000027524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43e8c|C:\Windows\System32\ieframe.dll+43d94|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1|C:\Windows\System32\mshtml.dll+112438|C:\Windows\System32\mshtml.dll+113bbc|C:\Windows\System32\mshtml.dll+113517 10341000x800000000000000027523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43e8c|C:\Windows\System32\ieframe.dll+43d94|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1|C:\Windows\System32\mshtml.dll+112438|C:\Windows\System32\mshtml.dll+113bbc|C:\Windows\System32\mshtml.dll+113517 10341000x800000000000000027522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43e8c|C:\Windows\System32\ieframe.dll+43d94|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8 10341000x800000000000000027521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43e8c|C:\Windows\System32\ieframe.dll+43d94|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1 10341000x800000000000000027520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43d85|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1|C:\Windows\System32\mshtml.dll+112438|C:\Windows\System32\mshtml.dll+113bbc|C:\Windows\System32\mshtml.dll+113517|C:\Windows\System32\mshtml.dll+117461 10341000x800000000000000027519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43d85|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1|C:\Windows\System32\mshtml.dll+112438|C:\Windows\System32\mshtml.dll+113bbc|C:\Windows\System32\mshtml.dll+113517|C:\Windows\System32\mshtml.dll+117461 10341000x800000000000000027518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43d85|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1 10341000x800000000000000027517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\ieframe.dll+43d85|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1|C:\Windows\System32\mshtml.dll+112438 10341000x800000000000000027516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6497|C:\Windows\System32\SHCORE.DLL+6387|C:\Windows\System32\SHCORE.DLL+62fd|C:\Windows\System32\SHCORE.DLL+620a|C:\Windows\System32\SHELL32.dll+d6b7a|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9b358|C:\Windows\System32\ieframe.dll+43d85|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1 10341000x800000000000000027515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+d6b68|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9b358|C:\Windows\System32\ieframe.dll+43d85|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8 10341000x800000000000000027514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.242{FCCA13C7-36C3-63C5-4E05-00000000AF02}21764128C:\Windows\system32\mmc.exe{FCCA13C7-3387-63C5-9D01-00000000AF02}1284C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+d6b68|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9b358|C:\Windows\System32\ieframe.dll+43d85|C:\Windows\System32\ieframe.dll+439d7|C:\Windows\System32\ieframe.dll+438fc|C:\Windows\System32\ieframe.dll+bdea5|C:\Windows\System32\ieframe.dll+bdc0a|C:\Windows\System32\ieframe.dll+bb299|C:\Windows\System32\ieframe.dll+d82b4|C:\Windows\System32\ieframe.dll+d6df3|C:\Windows\System32\ieframe.dll+23fdc|C:\Windows\System32\ieframe.dll+2457c|C:\Windows\System32\ieframe.dll+2436d|C:\Windows\System32\ieframe.dll+24287|C:\Windows\System32\mshtml.dll+123ef8|C:\Windows\System32\mshtml.dll+1237b1 23542300x800000000000000027530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:56.925{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC07541BB3E3B12BF82841E78D3ED4EA,SHA256=882FA8C7D509605E24BF9E20D6F4FC3A46E50378DB861903B156702FE5D2B988,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.941{312A7A06-36D8-63C5-7C01-00000000B002}26322768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-36D8-63C5-7C01-00000000B002}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-36D8-63C5-7C01-00000000B002}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-36D8-63C5-7C01-00000000B002}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.723{312A7A06-36D8-63C5-7C01-00000000B002}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000011164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.205{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D8-63C5-7B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.205{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D8-63C5-7B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.205{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36D8-63C5-7B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 23542300x800000000000000011161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.078{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D6F187BF451D891EA4507B255DE100D,SHA256=17A50BC6A8E32F948DDC7BB0DE3A5B90453012BAD5A859761A124F3D0A4A847D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-36D8-63C5-7B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-3345-63C5-0500-00000000B002}412528C:\Windows\system32\csrss.exe{312A7A06-36D8-63C5-7B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.047{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-36D8-63C5-7B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:56.048{312A7A06-36D8-63C5-7B01-00000000B002}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.665{312A7A06-33C1-63C5-9F00-00000000B002}3196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A5E2035533D27B8DBD113C292FC1EE2E,SHA256=E7670C7E2FCD3CC96727AA83501081B9AA073CAECD91A4B50CA9FBF3B5BAAE97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-36D9-63C5-7D01-00000000B002}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-36D9-63C5-7D01-00000000B002}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-36D9-63C5-7D01-00000000B002}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.371{312A7A06-36D9-63C5-7D01-00000000B002}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:57.369{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5DF855EED734C5153060FE51CA91AE4,SHA256=7B1E59F436B4746535FF61763B7C36ECD7219F65932F623B67E85C0E50DDA9F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:57.367{FCCA13C7-3184-63C5-B800-00000000AF02}3944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=8B7833B84B4C9F1382BB3C4B7988F51B,SHA256=7CBF859264BC34C7404DE9AFD9680D6A129D4B60CD75C05E50ED59CF53B73B46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.930{312A7A06-36DA-63C5-7E01-00000000B002}33683052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-36DA-63C5-7E01-00000000B002}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-36DA-63C5-7E01-00000000B002}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.789{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-36DA-63C5-7E01-00000000B002}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.790{312A7A06-36DA-63C5-7E01-00000000B002}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.476{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF7A75B254035B240C2EF3A2FCD61C6,SHA256=BAFB93719E20FD1B1C5829840C34B7F0F7F4DA389915FD98461A113107BC1B10,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:55.843{FCCA13C7-3184-63C5-B800-00000000AF02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59205-false10.0.1.12-8089- 23542300x800000000000000027532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:58.025{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE88D193A7A9E47E7A2450DEDDCFFC6C,SHA256=07321D464C2D62B78EF361B2677E1B8B1783ABB4B25ED0A279AD49308FA90152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:58.367{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B360E3D4F67D8754C6A85AF5473734D8,SHA256=BF816C00979F2FC3E1D4660820517EA22FABB06F5DF409D4E6BEF8ED903D617B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:54.514{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49865-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000011226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.907{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F8CA1735ABBB24AB8C08132199CFB13,SHA256=5FC61C1B93E0C1112D678EC072F3D3A85E62ABE490CFE7B8186E6BA1D3B960B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.829{312A7A06-36DB-63C5-7F01-00000000B002}32922764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-36DB-63C5-7F01-00000000B002}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-3345-63C5-0500-00000000B002}412960C:\Windows\system32\csrss.exe{312A7A06-36DB-63C5-7F01-00000000B002}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.641{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-36DB-63C5-7F01-00000000B002}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.643{312A7A06-36DB-63C5-7F01-00000000B002}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:36:59.563{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19327FA8F5CCC88F09340B370BCB2471,SHA256=5CA203EFFA742BA10137CD9A869B746A5CFED80522747F71F461ADC5AD15B1CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:56.705{FCCA13C7-318C-63C5-E900-00000000AF02}3420C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59206-false10.0.1.12-8000- 23542300x800000000000000027534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:59.127{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E73ABF42857F1655E8C9AC0ED25015,SHA256=710D7A37D899781663D8A9B260194DF27B1DE6C53D70E134E62F9D5C4D6704CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:00.221{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F91743731C55573FC0E59491465C46B,SHA256=7D1F1661C910EDF2ECC384525AF149533458B83CF8C8EB27114E84E7A56A8250,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000011240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.416{312A7A06-36DC-63C5-8001-00000000B002}10803804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-36DC-63C5-8001-00000000B002}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-36DC-63C5-8001-00000000B002}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.283{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-36DC-63C5-8001-00000000B002}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.284{312A7A06-36DC-63C5-8001-00000000B002}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000011257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.497{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36DD-63C5-8101-00000000B002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.497{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36DD-63C5-8101-00000000B002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.497{312A7A06-3346-63C5-1D00-00000000B002}19962332C:\Program Files\Aurora-Agent\aurora-agent.exe{312A7A06-36DD-63C5-8101-00000000B002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000011254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-33C1-63C5-A300-00000000B002}640740C:\Windows\system32\conhost.exe{312A7A06-36DD-63C5-8101-00000000B002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0500-00000000B002}412428C:\Windows\system32\csrss.exe{312A7A06-36DD-63C5-8101-00000000B002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000011245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-3345-63C5-0C00-00000000B002}724760C:\Windows\system32\svchost.exe{312A7A06-3346-63C5-1A00-00000000B002}1932C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.417{312A7A06-33C1-63C5-9F00-00000000B002}31961840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{312A7A06-36DD-63C5-8101-00000000B002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000011242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.418{312A7A06-36DD-63C5-8101-00000000B002}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{312A7A06-3345-63C5-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{312A7A06-33C1-63C5-9F00-00000000B002}3196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000011241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:01.099{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BEEFB3466E9C8844112D85465ED21A2,SHA256=164A40701B90317D258E2578654F1ECB340F42430AC07874F04B797D127390A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:36:58.241{FCCA13C7-30FD-63C5-3A00-00000000AF02}3488C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-221.attackrange.local59207-false169.254.169.254-80http 23542300x800000000000000027537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:01.320{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F19CD38B81F991D3FE7D862D71D486,SHA256=6F87A59922F422B46DAF5368423356B83A59C048D3249E7CDEF4BBD9BC15DEA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000011258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:02.149{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC7CAA7FBA9463EC89B1C23C71147C7,SHA256=42056C079729FB35DE06843D9A03F80DE4AAE88FE76C0F0485703CF32AD73968,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.770{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2300-00000000AF02}2552C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.764{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2100-00000000AF02}2532C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 23542300x800000000000000027558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.387{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCD1A7EA55333DF5DC4CB97E2BDC23D8,SHA256=83FE70EBFC4013885422F0D3396AA21106195D9B294B44EB4A9C5A813FC464CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.346{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2000-00000000AF02}2520C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.335{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1F00-00000000AF02}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.329{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-1E00-00000000AF02}2344C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.327{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30F7-63C5-1C00-00000000AF02}2196C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.325{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1A00-00000000AF02}1660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.323{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1700-00000000AF02}1408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.291{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.285{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EE-63C5-1500-00000000AF02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.272{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1400-00000000AF02}1028C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.265{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1300-00000000AF02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.260{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1200-00000000AF02}616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.224{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1100-00000000AF02}416C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.214{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-1000-00000000AF02}368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.204{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0F00-00000000AF02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.197{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.188{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0D00-00000000AF02}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.181{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30ED-63C5-0C00-00000000AF02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.128{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EC-63C5-0B00-00000000AF02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:02.120{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30EB-63C5-0900-00000000AF02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 23542300x800000000000000011259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:03.230{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08494E3B8D716231802F390979D038BA,SHA256=10B6A856F37731D6BC9303A27A34163BE90BECC9C16A62C6B8D7359368F3D83C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:03.446{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E25744F47E6B373E307F520C3BD66F8,SHA256=144DADF322835E151D23AF18AC29AD31807DBABA9FBC4F73F523E8BED0A8B6FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.806{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FD-63C5-3000-00000000AF02}3152C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.805{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2A00-00000000AF02}2888C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.800{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2900-00000000AF02}2660C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.797{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2700-00000000AF02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.795{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2600-00000000AF02}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.788{FCCA13C7-3392-63C5-AF01-00000000AF02}33766824C:\Program Files\Aurora-Agent\aurora-agent.exe{FCCA13C7-30FB-63C5-2500-00000000AF02}2568C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017B363D0) 10341000x800000000000000027569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.570{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.554{FCCA13C7-30EE-63C5-1600-00000000AF02}1292NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=2615CEB763846F8DFD72B910B7F259B1,SHA256=A3E8A5B5E6FBC831FBEA6D819B4A501EEB6013EBF54073DDC43836F8BCD9089C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.536{FCCA13C7-3193-63C5-0401-00000000AF02}3508NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BADB78ADACB3F06740D80C925F0F149,SHA256=057991608979CAF144ADF98C550554CF3941485DFF8AB866B515DDDE2EE6F875,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.518{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EA-63C5-0100-00000000AF02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000027565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.506{FCCA13C7-30ED-63C5-0C00-00000000AF02}848288C:\Windows\system32\svchost.exe{FCCA13C7-3392-63C5-AF01-00000000AF02}3376C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000011261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:04.301{312A7A06-33CF-63C5-EB00-00000000B002}1280NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E3BD3A818C420BD38264839F3A8C35C,SHA256=BFF5B6C4B9F1313914E366AFC82AB22A2BA760903856DD749FA3CAE5CB270F51,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000011260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-589-2023-01-16 11:37:00.520{312A7A06-33C9-63C5-D000-00000000B002}3968C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-589.us-east-2.compute.internal49866-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000027564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.427{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.412{FCCA13C7-30EC-63C5-0B00-00000000AF02}628812C:\Windows\system32\lsass.exe{FCCA13C7-30EE-63C5-1600-00000000AF02}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:04.412{FCCA13C7-36C3-63C5-4E05-00000000AF02}2176ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csvMD5=2615CEB763846F8DFD72B910B7F259B1,SHA256=A3E8A5B5E6FBC831FBEA6D819B4A501EEB6013EBF54073DDC43836F8BCD9089C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-221.attackrange.local-2023-01-16 11:37:05.800{FCCA13C7-3193-63C5-0401-00000000AF02}3508<