23542300x8000000000000000391905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:21.883{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519662C150CF23C04FC62D8B9399F9DE,SHA256=AD0951BB768FE9B5561F69BCCE6C4C9380CF0A0B7DE99ABA059E72EEA2287F46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:21.868{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8400C541B577B9053F137345121F87D0,SHA256=B15D16AD2216239374A776B3893C1A29427C60D72296E5FC8375AD8596D21934,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000838281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:30:21.854{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\1DB41A76-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_1DB41A76-0000-0000-0000-100000000000.XML 13241300x8000000000000000838280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:30:21.854{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\DC7B3D7A-FCBD-4A1A-80F7-E8A0928D4E77\Config SourceDWORD (0x00000001) 13241300x8000000000000000838279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:30:21.854{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\DC7B3D7A-FCBD-4A1A-80F7-E8A0928D4E77\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_DC7B3D7A-FCBD-4A1A-80F7-E8A0928D4E77.XML 10341000x8000000000000000838278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.839{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.839{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.436{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 10341000x8000000000000000838275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.434{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 10341000x8000000000000000838274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.431{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 10341000x8000000000000000838273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.429{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 10341000x8000000000000000838272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.428{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 10341000x8000000000000000838271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.426{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 10341000x8000000000000000838270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.426{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 23542300x8000000000000000838269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.221{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DECA1E430C7C200909DEEF84473404D7,SHA256=25C9C1EBC18AA3E1B075ADFB5542B22121CA5A39BD51BEFC62F81265F481443A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:22.973{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE719F07A022A113F4D93E02DC723F9,SHA256=C248B2F5A2626A55249082BDA9F7AF6C28E8E4735E2A60EF6C6BBED0F7DC36DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.690{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.690{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.690{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000838283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.343{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\respondent-20221130082953-058MD5=683651717EC8DAC081C38E211BC7EBA2,SHA256=5740F9BFEDA541BBB683F557CBD7668BC17497F3A3A4C7CEA871290E93407AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.292{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB521CE2BCE422D0FE24E3A7EBFC25ED,SHA256=6C67AEF2EEB07CCE5A7D27F3D3FC5E893ED2808E5DDA0EA3B87AC9F570F6E757,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000391906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:20.022{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50423-false10.0.1.12-8000- 23542300x8000000000000000838296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:23.738{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61C7B1B976171869DCCBD51A194116D8,SHA256=AD4A441D323A5B54C2E99CA8E695871861B44D8699C53B0E45DC84ABA0F8ECB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:23.707{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:23.707{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000838293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.282{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54010-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local135epmap 354300x8000000000000000838292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.282{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54010-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local135epmap 10341000x8000000000000000838291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:23.542{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:23.542{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:23.542{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000838288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:23.386{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6729F8C48348F5DFFB489A102EDC5EB5,SHA256=6F0FF7E93C2CDA32F7FE7895A5595BE530532E20697AB2AB86B7A44C9DF9FB7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:23.347{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\surveyor-20221130082951-059MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000391936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.706{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.699{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.696{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.694{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.693{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.690{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.689{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.687{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.684{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.679{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.677{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.673{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.670{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.658{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.649{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.646{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.625{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.616{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.600{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.585{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.572{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.525{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.516{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.509{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.499{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.490{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.480{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.471{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.468{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 354300x8000000000000000838301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.131{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54011-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.131{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54011-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.302{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:88c1:e4d5:88aa:ffff-53831-truee000:fc:47c7:6689:5d3:4ebe:ff48:8b05-5355llmnr 354300x8000000000000000838298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.302{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local53831-trueff02:0:0:0:0:0:1:3-5355llmnr 23542300x8000000000000000838297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:24.486{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B24DBABE2BC69E2E5583E200B9C8762,SHA256=A7FB0FB4C7577E5F844BFCC58F81C748E93F6EF058EA65F3400F57E7D79D4BCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:24.234{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AD5DA8703584F422CBC08073BB11CAD,SHA256=3E51B6FA853B93DEA59132CDF63E72B0540A52832211CEF797FB04EC098F42B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.984{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54012-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.984{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54012-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 23542300x8000000000000000838302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:25.582{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D50CE8A2F6C058AA8DE5DDA41910059,SHA256=08D092F21D1A56E238AF52DCBDA067F5A6346D0EECF7A74B40A703D4A6210A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:25.357{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72CAECCE6065A147055881EC02E0848,SHA256=F3EE3F53830DF6FF3871816C03FAE21D7CCD58943808FEA2409DC838101755DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:24.572{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54013-false10.0.1.12-8000- 23542300x8000000000000000838305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:26.680{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB00AA6F326984116E6D2E368A1894EE,SHA256=6AE5788C2EC42DC974213C726A76F3746994FD6EDEA7116748EF09914E358EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:26.448{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9380957F660C2156B598FD5B2EAC6EA4,SHA256=37DF63FEB9000B42BD6693F6605F8E2B422928FB14B7ECF3F933356345CA2BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:27.768{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D965E96E597FF67CDBF0F28E567B44,SHA256=630A9B2AC2B4926B4C609EB74ED3088BFE9E954E70B6088FDC5793CA2268CDE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:27.536{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE7BBA0432B3F0C032684C6DCF3E557,SHA256=D92A257E64A1E7783A58EBFAD2ADDDD1CD8C24BD0817CB5A9276291CE3272A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:28.847{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B91C76DC2F64DB3D3A34FA25789A554,SHA256=86E9C25F48D3212B5CF27256D23CAE67BFB02D1F41376EB3D258DEC3400F8893,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000391942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:25.985{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50424-false10.0.1.12-8000- 23542300x8000000000000000391941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:28.613{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85412830E4F5D1760007F43FE1110030,SHA256=913C47D1FF859632D1327B889FF0AE8866EA912E53D380A41CDF180BD241F411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:29.938{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=255C1FD6F5B5D84E9150347EE1CD541B,SHA256=4F1A0A42D2F5E806F146C34522EC584CE83905A19C8EC5B00905A34EC5BD1E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:29.719{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54CB6C71FBCA7342B20AA4CBC8A2B83C,SHA256=6D70B7B03A109D2156A29F2E11F4A6F84A2A2D9E35253DE532E125112F74E963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:30.806{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB163F062F7AF9DEA5D06C82DA054AA9,SHA256=420B6327A1BCB9D6637F15003BF5C217620DE9D000707FB83E71E736FC42469A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:31.883{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6CF6ABDFA2CA0AF3FDD507B3F411C75,SHA256=B3673E45A255FFB2D096430B140889C06CD79FACC0815D006F890CA5BFF24B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:31.028{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013ACBEFAD1FE84E04F977904635E58C,SHA256=1C3CB8B486CAB4B8E20FAD839C71101CA8DD4EF3B7C83D005212509E7B781563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:32.970{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D53E82101386AEBAABACC9238A6CAB78,SHA256=710B6824877A2D8B17472ED5C45997326D4820AEC2E2C2087107097FF2D02502,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:30.590{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54014-false10.0.1.12-8000- 23542300x8000000000000000838311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:32.110{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A8E269DCF7872B276436877C9CE987,SHA256=7EA5C21F9B0D3B8B7423BE490A13C24872227A3D586A5E353B0CE3F7C9C82A3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:33.207{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC8D8FC1A3F2D73A278DD23722830AD9,SHA256=D810B59A9BC3F33B48B86461CF8078985AD950534A8CDF63A81DC6B595409EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:34.285{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F39A72A90295C014B3C22BF2E6623E0,SHA256=B8599E20DFED3B5EC794959CA065F503D8AB61497FC2B8BC5EC8278894DCCE7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000391948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:31.962{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50425-false10.0.1.12-8000- 23542300x8000000000000000391947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:34.055{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0526EC0253AE569E98629B368FACD3E1,SHA256=18406CA066AFB47A0275A7E83810EF18DA8D3E7C32395D9277C9C640150FFD5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:35.360{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B433663C5A53AE919FD13CE078CF9AFD,SHA256=3559EBA50E2C4B9DEF9125D6041BF271E078F38351C9C77E4E4772EDBDA79628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:35.144{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F7E800DBB2F9300D5A4003172180E1,SHA256=79C2635BD2E79AB7958D5703D373DE4FF9F024CA1F5E654FD5B6CEE308AB43E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:36.649{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=87E984236A039FC240CC432B99CBB9D4,SHA256=28C1FAA966F9C401317122F36CD57F015A73ACFF5C01475109200FD44A4A9715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:36.450{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F881AFBDC1555870EB125A8CEDA63A7E,SHA256=AF8F829D3C6D5713CCA6A36D83E00D2BB880667E474760A7369E66BE8DEB6430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:36.217{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C087E8A83601C185A966413A24BDAE,SHA256=EE452567515998C8F87A17019CE9285B9190471A7C998FB3EBF9423C7141E279,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:35.673{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54015-false10.0.1.12-8000- 23542300x8000000000000000838318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:37.538{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80CA8B3C1D8CA6D27FF7376E6F9E62E8,SHA256=03C2B89B195262B101497101D551FCA4A622DE90C3BA7E149FAA6907E98DA01D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:37.306{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308F1D7F311C5082EB23F3905AD806B4,SHA256=BA546E6009671BDB7247689DB7BFB037C37AE934980B374AD1A0D0F799114155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:37.118{E56ECBBF-146F-6387-1300-000000009902}304NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=40E34E61500C14681CE07CFEF055AD1C,SHA256=8D0CD9D9FC15FA59D7E6CA343EA94081228156884E4AEBB6C291AAAB816CE9C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:38.390{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB5069998619C45FFC11C177F778287,SHA256=4C70AF9052988C66FC6177F97EE607C4EBCCB9CE619EDADCBFC491A1557466C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.333{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.328{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.319{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.317{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000838341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.304{8A63456F-1471-6387-1000-000000009802}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=66FBE1CEEA473AB454273827E5077124,SHA256=A7AD0BAFEADC8C9D4F58F9F08F89912776FD159C27D361BD3E4260799D7EE31D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.282{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.278{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.273{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.255{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.239{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.233{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.231{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.225{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.195{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.182{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.156{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.142{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.137{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.125{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.118{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.111{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.103{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.097{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.090{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.049{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.046{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000391954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:39.486{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB49D182E5DA517388190A97128BECF2,SHA256=40D5008BE58C27B2E4EF93F6E511E1518C71F653EF5633FD743741C1094929C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:39.141{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000838346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:39.039{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96A10A59EDF180DF1171004DED5EBE4,SHA256=F1AC1F4633F012F73FEB68E32B31E7A056513E5C2D0F292423FB6751BC6AF4B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:40.588{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E1D3E5E79A8119746C4DE510B2E526,SHA256=42DAB8517C787829DFF2F305EAC7EA7D8D687E64649DAFC171A3513ACE5D8E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:40.177{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2132A0244E5163DCCF69C725E532021B,SHA256=101CB3F75BBB0CA60AFA88306EC8FB85DFB2C7F556A5F7127A72A397B9D16AE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:41.655{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05431E102CA883482FBE220D98275292,SHA256=80B6ED93B1CEF067A1166610B2C6FCD0E4E2DCFF9DE3B2490D8E4AA39A34DD62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.717{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.714{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.711{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.708{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.707{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.703{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.702{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000838351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.255{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF5276D3F3BD0622EC7C0E22FF4E8AE,SHA256=0AE2ECDCBB2C9594645C0BBCC49456ACEAA206DB049013516444DF7983A36197,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.183{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.181{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 354300x8000000000000000391956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:37.841{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50426-false10.0.1.12-8000- 23542300x8000000000000000391958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:42.738{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91A055C30FB6E210298A14E56F7C5BD9,SHA256=FDAA12CCB19C83D4DB4C1862C53FD95CDE682E6DF5385F52730DB7606E8C22A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:42.250{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE8826EE53AED1F89D01B07C9BDA1AB,SHA256=8E1920C02850435945BEE5ADE18C9CAFBAFE43C9A0C2B5753D449D8636AE2A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.987{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083BEAA96A5A98CC3232CDE3DD763E41,SHA256=FC9715A448D6AE387B7BF8D3217C44F6668F671F571547A6F69415A4AB25D0A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.629{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54016-false10.0.1.12-8000- 23542300x8000000000000000838360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.333{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95695E140D815FA38D318975EDB76CCD,SHA256=7171A55E6B667D2278783942B388DF29AC8E3D3E2423EDBF360B2D4C8DD46DE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000391987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.706{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.700{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.697{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.693{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.692{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.689{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.688{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.686{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.683{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.678{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.675{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.670{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.663{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.652{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.630{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.628{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.600{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.579{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.570{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.560{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.550{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.520{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.512{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.502{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.489{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.485{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.481{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.473{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.471{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 23542300x8000000000000000838384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.434{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E88FA703435A3F5B7FEB7ACAAF25C628,SHA256=774B838BB4BF013D8208574C88BA10641C14D54D490FBF9A335BBC31F584547E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.309{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.309{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.309{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.294{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97cd2|C:\Windows\system32\kerberos.DLL+79ec8|C:\Windows\system32\kerberos.DLL+1453f|C:\Windows\system32\lsasrv.dll+2fbf1|C:\Windows\system32\lsasrv.dll+2dad6|C:\Windows\system32\lsasrv.dll+33369|C:\Windows\system32\lsasrv.dll+30cb7|C:\Windows\system32\lsasrv.dll+2fbf1|C:\Windows\system32\lsasrv.dll+17b1d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000838379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.294{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.216{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.200{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.200{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.200{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000838396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:45.521{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D67315625865376602D4C5BD07DA201C,SHA256=6F47F7A0F996D97E84184660C5028EB8A9B6EFB63E916CA89CC9FE1112C87225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:45.005{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0083040CDFE6538BDCD378EB822D289F,SHA256=3AE0508B6B5CE7E3CF61AA7722925E8391B58867A64F136EECCB83459382DA20,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.742{8A63456F-146C-6387-0100-000000009802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54021-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local445microsoft-ds 354300x8000000000000000838394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.742{8A63456F-146C-6387-0100-000000009802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54021-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local445microsoft-ds 354300x8000000000000000838393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.662{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54020-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.662{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54020-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.637{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54019-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local49666- 354300x8000000000000000838390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.637{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54019-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local49666- 354300x8000000000000000838389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.637{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54018-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.635{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54018-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.634{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54017-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local135epmap 354300x8000000000000000838386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.633{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54017-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local135epmap 23542300x8000000000000000838385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:45.287{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34BF5FDE9DFAACA416AC79B71D5FFB05,SHA256=1A58B3F7D7908229B0A1627CDF24AB79AC531191B4C43C4114F8E2D04CB9BC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:46.617{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE114D6018FD436046CF7136E1B7AB71,SHA256=5CACAF8753B0DDDCA283C6FFE6753F0379767A1028D2BC6DB501536DFF10A1B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000391992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:42.931{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50427-false10.0.1.12-8000- 10341000x8000000000000000391991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:46.205{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1E00-000000009902}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000391990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:46.084{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BC2F12CBF792A7A6C63DA873A1ECDA,SHA256=49DB6F7648C896570DCB68BBB89079334D9DAE48C023C59ED70CDA0F9B9DC260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:47.698{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07333219C381A15A0488FB58A4122442,SHA256=9AAE301DF123C346D5B1E71F966FABAF063D15752A5CA0571B6FDB25A4C48F7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:47.161{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E49419323031BF6A1ADD1E75277F197,SHA256=B6311DE3C52FEC6F4FA14B3F343FF5D5277B9447B43C759CEC7B8598F190C318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:48.787{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEDF05720EE9A202419DF7F2052FC986,SHA256=9F656A4F8D9AFEE63A34254AC255170B05698C7B00B83D3C01FEA3FBC4293B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:48.249{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA86BD98F2DFC0CC20DBA421CE4DD386,SHA256=63D6F51F194F82BB0141CC651D9ADB4E7143857908DB25D483FAF8902C7A2021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:49.875{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E8152579A9E183EC2E84D0C7D5D288,SHA256=3184DA3E8561831A7D2DE0E6606E09A0B8873194A9626E80949A86AB92ED30C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-22C9-6387-4E02-000000009902}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000391999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-22C9-6387-4E02-000000009902}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000391998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-22C9-6387-4E02-000000009902}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000391997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.878{E56ECBBF-22C9-6387-4E02-000000009902}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000391996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.550{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.331{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07FB4A09189DB8087083802E543F335C,SHA256=7F8F230FE42BFF03077A7CECF1872CF2B9DE8114CBF95859150A25BFF6B6A13E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:50.983{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB11C9FE7E6C7C1457A22219E1CA8CD1,SHA256=6BDCD8D4A42A10758BCFAAB9A704527848061560BA1451EDF9706704E6C19E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.947{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=857EDAF42BF8BEDD680F433D93D11F90,SHA256=296B42CD9875EE9FCDCE24C08BB7C472BC4157CB87F0D52A14D2C9C4EC94AD8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.838{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9A4D4B02A053A56C189F698B90FB768B,SHA256=B0466856A160F9B1924BDD42D91DA842E491C909CE576ED836453432578E3694,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-22CA-6387-4F02-000000009902}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-22CA-6387-4F02-000000009902}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-22CA-6387-4F02-000000009902}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.562{E56ECBBF-22CA-6387-4F02-000000009902}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.421{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B45C1AA13BAD97DBE3E667FE836179C,SHA256=89DF82D25A2E4B73A46BF2B9CED0B138F90314EC810E3A98B3D740C19230C3A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:47.577{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54022-false10.0.1.12-8000- 10341000x8000000000000000392010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.061{E56ECBBF-22C9-6387-4E02-000000009902}14563216C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000392042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.516{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290AC063A9BED51DDC86556330CE2AF2,SHA256=C546539AC8EC6396ADFFE339C019E04ADAD57BD930E6FB2D5E4E5D96EE227668,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-22CB-6387-5002-000000009902}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-22CB-6387-5002-000000009902}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-22CB-6387-5002-000000009902}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-22CB-6387-5002-000000009902}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000838403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:51.173{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000392028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:48.822{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50429-false10.0.1.12-8000- 354300x8000000000000000392027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:48.295{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50428-false10.0.1.12-8089- 23542300x8000000000000000392044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:52.502{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D00598FECA5B1B9EDD2DDBDEDB3E83,SHA256=8552DB62A93EF41CC6E1A683B7FBA5DB8ADC958DF64517CC1602B9AB1703CA69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:52.802{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:52.071{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833C3334E6CBEA9240FC0215B91EDBE7,SHA256=CFE340A6C36B674129947FCBE1EB1DA24FBB909C673968B5B85BE160AC97F975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:52.080{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C88EE9D4BAA9B86563764D77A55DF4B5,SHA256=62849C813B27E7B2DF4111E46A364CB549AF0D68E44AE282EDB1A06B09D799C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.938{E56ECBBF-22CD-6387-5102-000000009902}2792212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.756{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-22CD-6387-5102-000000009902}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.754{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.754{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.754{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.754{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.754{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.754{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.753{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.753{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.753{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.753{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-22CD-6387-5102-000000009902}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.753{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-22CD-6387-5102-000000009902}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.752{E56ECBBF-22CD-6387-5102-000000009902}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.595{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C7D5B2BD424E1C734ACB63C3EA25A0,SHA256=FD4AE0ABA66F0CCEF4FEBE3E65B15E9C0564E87EBB78CF16CD4CC813F61A8FA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:53.167{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4635BAAA6ACBF4DCECCB3C19360646CD,SHA256=9805BE6576FB0A4278065E4DC4EFE3281A4C51C3D38EBED82CAA2316329CC372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.731{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3BEA235D480D57A7C11982D126B9BEB,SHA256=DF9E1AFD837B8451DAC67703D4968198690AB7417C83211F309F1EC0FA536D21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:54.239{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18CAC6A2B61714F31F78C913C959E2D1,SHA256=ABC3A412D9C142F1B23C02694CEC3A2D614C07F859DBD3883F391D0B029E56D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.590{E56ECBBF-22CE-6387-5202-000000009902}33323404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-22CE-6387-5202-000000009902}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-22CE-6387-5202-000000009902}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-22CE-6387-5202-000000009902}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.435{E56ECBBF-22CE-6387-5202-000000009902}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000838407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:52.229{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54023-false10.0.1.12-8089- 10341000x8000000000000000392099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.998{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.998{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.998{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.998{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.998{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.998{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.997{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.997{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-22CF-6387-5402-000000009902}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.997{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-22CF-6387-5402-000000009902}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.997{E56ECBBF-22CF-6387-5402-000000009902}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.798{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FFE801B7A56F6F2DD86A1EAC0423B1C,SHA256=D05845913C5E89E5D273787E654297BF654A5F12CA7D52D5F9ED74771085A6B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:55.328{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D77ED94320E2A32E87D124D445CA64,SHA256=3E5A9ACCE1370DBD7F2218F9CA90E3CD0C73AF492E8740BD5549E4EC986C4F90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.270{E56ECBBF-22CF-6387-5302-000000009902}1256620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-22CF-6387-5302-000000009902}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-22CF-6387-5302-000000009902}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-22CF-6387-5302-000000009902}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.115{E56ECBBF-22CF-6387-5302-000000009902}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000838409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:52.635{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54024-false10.0.1.12-8000- 23542300x8000000000000000392105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:56.886{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62118E05C1DF13461C42108F53A91166,SHA256=769D55457B63C6B4B28231F754F48A35A1755BC3CC73905448582545770FAF64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:56.410{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07403BEB5482EB12A9BF505B58EF3298,SHA256=8B96C0029E8A7B71E639433FB7E5807044BE2D26EDA8B0E0346B0E37054BA58A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:56.379{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACE1241B2B9FB679D638211F825876BC,SHA256=D505DED6385A3905972923CE11E8B5A1B426C9135828E7263BDB80BCB77C4731,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.890{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50430-false10.0.1.12-8000- 23542300x8000000000000000392103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:56.173{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F2057F9BAFE9A97BC5927AA7DC27BF1,SHA256=E4322FDA6D8ADF94ADAE9CB87CC14E9248980712D5D8AA454A9FD2D06F344869,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:56.000{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-22CF-6387-5402-000000009902}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.998{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.998{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000392106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:57.966{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166FE241BED10DBEB0CCC0DF8778C06D,SHA256=7CC6F8331480D434D90738F2ABE316D5E0B7E6EAD1BDA91BE6F61A1ADDFA4A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:57.510{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50C188B03AD88E4580A5CA891D0789F4,SHA256=C47314A01F4F4ACA92FF6DDE9246CE9CF8206E776949E7B1CD38444DC1BCDBAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.787{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000838439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.587{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DFB76625094401AE016FD5B3700A746,SHA256=596EF5D44C8C936E625ADE39D8A8BE1BA0BF41E9F44D2DDAFF6AD8F764119AF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.375{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.372{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.354{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.352{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.328{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.325{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.323{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.309{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.297{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.287{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.285{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.275{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.222{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.210{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.194{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.185{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.179{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.171{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.162{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.155{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.144{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.136{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.129{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.073{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.062{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000838441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:59.663{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A21FFDCAAFD2E5CA902DC946747D9F,SHA256=A6A353E63867CA638DFBA5A1DFAFF491266F970BB267350C4C0835C758F6D78E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:59.048{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAAC2A2D728A44E0D0B38EFC22963AC0,SHA256=7CC8265CA788F1E5FE5DB0126F1718FB92C012BB73F07511485FFB50B8E2F9F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:00.825{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:00.823{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000838443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:00.745{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=652C3E937D0520475B8DB3EE82654EB5,SHA256=48F63431F35082AFBCCE26290705A569FD53C01ACDADDE5BE4F5A639BCA6B739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:00.131{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE44B7FCEAD6AEA9142D752D71E70426,SHA256=32E5D410271F5356E5CBC95C2A19A636F432C66D55CDE9C7A7D540E89B35959C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:57.637{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54025-false10.0.1.12-8000- 10341000x8000000000000000838457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.865{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.865{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.864{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.847{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-3100-000000009802}2952C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000838453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.831{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8E6E5388A24D126E0D4638E63C2700,SHA256=2DFC15C03C61F83DF3EB17843CC710B50115E2E98226AFCEA85BEE6096E681E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:01.206{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE1917C71BCD37787826274446E4E6A2,SHA256=300B34EBE5B3B6F54BB290375DAFE31A1A23326E61F1D8273573B2247967328C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.353{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.348{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.345{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.342{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.341{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.338{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.337{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000838459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:02.913{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F716BF95FC8B9EDBDED8B4FA766BF033,SHA256=150B696E65C75B5B231D2466E8E9BCB7B5B67204137AFB9DEEEC74D378C9453E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:02.850{8A63456F-1471-6387-0D00-000000009802}9082236C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000392111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:59.798{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50431-false10.0.1.12-8000- 23542300x8000000000000000392110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:02.296{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B339B9354EF36F3404773EE0089ADF,SHA256=92EFCC93D183EAF6A5E940C1BA3FD69E76E14C02AA6FEE0C75784377913C22F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:03.882{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B7A043CE11A068D12770133BD10FA5,SHA256=305BB02744BAACB406E2062368397B80B9764AEF45B642EB38286A03BE1B6BAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.693{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.691{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.689{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.686{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.685{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.682{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.681{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.680{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.677{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.674{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.673{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.666{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.663{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.657{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.649{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.647{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.635{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.629{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.619{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.613{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.605{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.570{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.555{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.544{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.530{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.512{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.499{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.486{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.480{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 23542300x8000000000000000392112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.386{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E9FC48E09BCDCA9CF312DA143194BC,SHA256=367263345596D373F184F4EAC45153224365267E8D8118CBB142AFDE67837CD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:04.958{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A57436D3EA5C1697B1892EE6C63B20E8,SHA256=E41BC03A269D682D12B7FE273209001C74864D5612FF9A5029FD283676AC2F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:04.830{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5968AB9213E71DA284BEF28AD52030A9,SHA256=A2F8F24D747F0767C0B734F66FEBE8DADF758C2DA02F879C6C762A3C9DA982D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:05.903{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C1E07C71DE47B3D1383D07A7E5CA80,SHA256=85613F914805FD0439C93491F84E70D2CFED8B2E3F0986E58F2801489129954F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-22D9-6387-5402-000000009802}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-22D9-6387-5402-000000009802}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-22D9-6387-5402-000000009802}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.810{8A63456F-22D9-6387-5402-000000009802}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.342{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=567EF1BE79BF0A990DB99786A8D61E46,SHA256=D8F4556406DAE59AA41B66915DA2C8EB2440CB5D4DEF4F0129DB889665B6DA04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.311{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-22D9-6387-5302-000000009802}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000838477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.311{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-22D9-6387-5302-000000009802}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000838476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.311{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-22D9-6387-5302-000000009802}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 354300x8000000000000000838475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:03.543{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54026-false10.0.1.12-8000- 10341000x8000000000000000838474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-22D9-6387-5302-000000009802}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-22D9-6387-5302-000000009802}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-22D9-6387-5302-000000009802}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.147{8A63456F-22D9-6387-5302-000000009802}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:06.994{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1868DC2EFEBEE335CA3F326A1BBFE2C6,SHA256=0CF656EA74FC86A969CAB3BFFB9C78F7CCAE76C02879EFEDA591478CC284F3AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.932{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1EAC6CB3D9E0C50E8205C4FE5DFADA27,SHA256=678318F55D32CC978B698FAB283B4096BB85E054FD957BD0C8B0AE73A1642C7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.503{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E01F25C0DFC20EA7D4E0291AC36AD14,SHA256=E58BE14522268CD0CD293B6495B3ACB9BDECE649C1633FC6D38A3B7DA84B625F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.503{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED8858D0C3A23F0ED48912DD4E908818,SHA256=050282860F200790DA338D8AD17B1E16277D41F316A95A56406E7F990CDD80EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.487{8A63456F-22DA-6387-5502-000000009802}42404460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.313{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-22DA-6387-5502-000000009802}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.310{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-22DA-6387-5502-000000009802}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.310{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-22DA-6387-5502-000000009802}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.310{8A63456F-22DA-6387-5502-000000009802}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:07.363{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D1263A2756885FBFD8D863924B53D0,SHA256=A2EE89367AA832ECAEF1E2918163939BEB21F336099E3862E4663071878ECBA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:04.889{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50432-false10.0.1.12-8000- 10341000x8000000000000000838525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.801{8A63456F-22DC-6387-5602-000000009802}43724156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-22DC-6387-5602-000000009802}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-22DC-6387-5602-000000009802}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-22DC-6387-5602-000000009802}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.540{8A63456F-22DC-6387-5602-000000009802}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.435{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C431BFF40BA33316CC67371425CB9A2,SHA256=9D7401B26722AE028C24E8997F1281E0146965139BD5B4B6AADE5FB245C3CB35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:08.335{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7C4B9A1B04C2AFBE542CC66324082F3F,SHA256=D9E6395CC9EF9B21BF14E618953CB2406EA6AF221455C1F872D54AF8939299B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:08.077{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333F9E44F1177B0FAEB593E1A16F670C,SHA256=C8FC0387C7E2DAAE9C8B0A3D99E7BAEE148910161EC90626223AD41D2290234D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.982{8A63456F-22DD-6387-5802-000000009802}46123084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000838555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.903{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE8EC9874CFEF61323BDA954EBA550B6,SHA256=D0920B612904F3F7DCDC691E1AD1A3619379DA3AEB96151F055D967412D5A98E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-22DD-6387-5802-000000009802}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-22DD-6387-5802-000000009802}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-22DD-6387-5802-000000009802}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-22DD-6387-5802-000000009802}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:09.488{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\respondent-20221130082938-059MD5=1A32CBE424C0FD56A19B8799D3C64243,SHA256=EA6D997F19314B6150EFB9A20554F04E0A1C60C572E1FF9571FF112B025B3E6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:09.159{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=850AA579533643681B6D90DD9042B3C9,SHA256=00D045F7732B4A22EAD5D98939C26D4E31AFFFB3422A0C5F97A3EA8D0E0132C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.784{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54027-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.784{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54027-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 10341000x8000000000000000838539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.316{8A63456F-22DD-6387-5702-000000009802}28284248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-22DD-6387-5702-000000009802}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-22DD-6387-5702-000000009802}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-22DD-6387-5702-000000009802}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.052{8A63456F-22DD-6387-5702-000000009802}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:10.849{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE17B0B280EEBC1FE4C73AC03C191AE,SHA256=BE0ABC51E5FFB15B56E613E1A604A9205AA0C2029C29DABF5A8A58597D9BB210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:10.490{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\surveyor-20221130082936-060MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:10.243{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1FAC14D4C6AB5E2ECCFD7E2D6025B2F,SHA256=6C220663F02A718070F1C2038277D49BCD23D5DCE63C5A480575053EDF0D3272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.929{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED276E1AE911D9580DE9D52A19BFFAC,SHA256=1112B9B52713E854C6648D16C58BBB46E23D211477052235B1B99D740F18CD65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-22DF-6387-5902-000000009802}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-22DF-6387-5902-000000009802}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-22DF-6387-5902-000000009802}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.867{8A63456F-22DF-6387-5902-000000009802}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:11.313{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83EC9336C4C4CC502B9E2443F3D6E9D0,SHA256=FD672E8E0338B26A4D6F91632339F867DEF72078DA4F4FB9A73A482F2D4B02BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.580{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54028-false10.0.1.12-8000- 23542300x8000000000000000838573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:12.900{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=762CD888FC8DC724104343E2F9226B7A,SHA256=C68AB2324F05C2F2514417FF391AC79D2FF114358CA5C0D6FF934FE68E23D116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:12.401{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7E304A4459E533132E6B74470F3E62,SHA256=A1644A3DDFF2E5A37D6CFC0F5894595B22E6D747F9D72463C199B4253807D347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:13.976{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56820AC88BD1B0324517531539A9DD8B,SHA256=F87A255778199EBEDF7941D009B6A323F8C265A49E1A24FAAC87B373B279014B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:10.850{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50433-false10.0.1.12-8000- 23542300x8000000000000000392154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:13.485{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A2DE4EC40EEAFB5939A225A94F7C253,SHA256=555FA0CC84D8FEEBB3F2044F39ACF5BBF854491D5F6BAE4950B52B82E409A576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:13.009{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54F6941C4AF22ACA1DAED50D9218DFB,SHA256=8B382EC6FD01F6FEBF019827B535320A6798EF025D57EA95F51687D89459496B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:14.568{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C4689DBDE344A1ECBF055251DD9807,SHA256=D103D1A59CD8BC624638BFCF3BF795CAE435298DD5D63D8D37474C1E856D9CB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:15.641{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BEA496B1BF707759922D158A65EFA0A,SHA256=8809C6C0EA41BB3E57228732C53DCDEB1ADFCA49BF27046724AFBE9793441563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:15.065{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F899B1B983B80A11E4CCCFD56B2B8ED,SHA256=955DBF2727BBBFF83903F32C6B8D846D2B305A6FDC4A1F9C1AA6545492B7AC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:16.717{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148C28DC70373F3F52287E4BF828AF2B,SHA256=4F7E8F37729B9697FD0DA3E5F4991EDA1DB7C7B6369AC0376A58DC215D4DC74E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:16.150{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F370DC605F1918B1A5A09992EE9336,SHA256=A5D64185873CDD07D56372862528411DC12FA591B6BBF551688C28236D640187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:17.805{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9C07C9664D5539F01AF4FF77566471,SHA256=786C89A46761FDC63D7BCB0B5B07E27D587AD732BD137C23219FA9B670E506A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:15.577{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54029-false10.0.1.12-8000- 23542300x8000000000000000838578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:17.241{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A7C07ABD424494A49F49813AA2D233,SHA256=235AEEC486166685516FCF2187D7CA913887CC0B99D43B599128CC7F3BD87F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:18.873{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=858A5EC5DD154A6F759800BDB2FE61D8,SHA256=C8CA1E02DC39BD4567AAE38712CF2458B809F37F714443980FD511F3885721FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.855{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.325{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 23542300x8000000000000000838604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.322{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B60F5CF9F41A96B27C7FF32752250243,SHA256=079133FDEDA9EEBF2502C3A8FF911DE335C2C80DFF0693C0E9D74BDBC293A9D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.312{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.294{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.293{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.244{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.240{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.236{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.229{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.223{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.216{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.214{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.212{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.186{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.180{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.162{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.156{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.148{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.140{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.133{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.125{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.118{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.109{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.101{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.048{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.045{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 23542300x8000000000000000392172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:19.970{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A5D9FA28141AA0305D7802F1167EB1,SHA256=C474426338CF787F2D031F5B6116F3774309C0DDFF16280A45EFE60207EA2DDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:17.902{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local53831- 354300x8000000000000000838609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:17.902{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local63259- 354300x8000000000000000838608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:17.900{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54354- 23542300x8000000000000000838607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:19.260{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0096E9E02FA15D5B5EFAB7D926299463,SHA256=08BE3B3A0E10F8D37DECA6C83A20AF6EE87B55A42C56A6156217D5542C82AB0C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000392171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000392170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00388feb) 13241300x8000000000000000392169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d90496-0x1e512d5d) 13241300x8000000000000000392168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9049e-0x8015955d) 13241300x8000000000000000392167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d904a6-0xe1d9fd5d) 13241300x8000000000000000392166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000392165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00388feb) 13241300x8000000000000000392164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d90496-0x1e512d5d) 13241300x8000000000000000392163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9049e-0x8015955d) 13241300x8000000000000000392162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d904a6-0xe1d9fd5d) 354300x8000000000000000392161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:15.957{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50434-false10.0.1.12-8000- 10341000x8000000000000000838614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:20.907{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:20.906{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 354300x8000000000000000838612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:17.903{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local62860- 23542300x8000000000000000838611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:20.362{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A29B7A30849BE6B19C6EF2A4575D43,SHA256=1EB58CB09F29568E11860A297D081E2CBFADE0365C333328DB8D05F78C2D5B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:21.446{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87ABAA1F9DAC775390499714D4A4B1BC,SHA256=D48DAB933832151C7BB8AC1AA3AB7C474D3545F975DDA4DCD1236305516216AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:21.443{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:21.438{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:21.435{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:21.430{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:21.429{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:21.425{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:21.422{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 23542300x8000000000000000392173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:21.045{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F68D7B32D7758322223D666BB6FCBFD,SHA256=AF8D305D79B4BFE781BA49EE0BE0B7FBFF49B365F09D98D4545CEA80C2757913,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:20.600{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54030-false10.0.1.12-8000- 23542300x8000000000000000838623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:22.520{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C85E6DA3C9FAC7402909E4E2CDC686C,SHA256=424CCF4EDCF7410DA38CAA8CEE167A9C0B7BAD344C97E55162656BDD7C8F649A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:22.317{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DF3F859363A00277C034E498CE311FE5,SHA256=E46B9DF97AC9273DE98F1C344C380F414F0A3BA7CABE57FE2566191496A7888F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:22.129{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7BBB532F05FDEFC1D7320B1E679C4F,SHA256=E9220253CCCF382669AB466B039A1FDD135F4FCE23770056D324B216EF2AD13D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:23.859{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\respondent-20221130082953-059MD5=683651717EC8DAC081C38E211BC7EBA2,SHA256=5740F9BFEDA541BBB683F557CBD7668BC17497F3A3A4C7CEA871290E93407AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:23.597{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=494DD48E3DFB2DC192313A457EC0FC74,SHA256=EC211C84F393CDB370F57C7B870F224640C0378B13C6BD65609D36B6DE67890B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.656{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.653{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.649{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.647{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.646{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.643{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.641{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.640{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.637{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.631{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.630{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.619{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.610{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.602{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.592{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.590{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.575{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.568{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.560{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.553{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.547{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.523{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.515{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.509{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.501{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.493{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.484{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.478{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.474{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 23542300x8000000000000000392176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.217{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15CBF1F36C2E42E509093D9C1C831C40,SHA256=0F968F2FA192589071B317971555D3C01ECD77DB0ED637E4658380CA676651E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:24.868{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\surveyor-20221130082951-060MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:24.673{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08390C76CA13795BCC4BF9A19297C633,SHA256=B2AD41D9D4B05664F96B3FA7904C1FAA7DB14C68A64F9FC82E308B6B46B99F78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:21.945{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50435-false10.0.1.12-8000- 23542300x8000000000000000392206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:24.753{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA9817F204CAE954C9849008961DEFA3,SHA256=D44156423A47FCA93D32364F8DF4BD933BAD07C6D8828A5F79DA98759105CCA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:25.760{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A6743CF06ED1CB56AF9ECFA70F9368,SHA256=4D07F688AB46B855BDCEF57F710CDF21E6C90B5A275586542F3DC9B5EEB1EA9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:25.822{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FBBA313B7543A1093A707D82BD887F7,SHA256=508F4D550B54F2AFBF8BA9250B773A6CFD2C828C3697017CA85625BF80BC9125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:26.845{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687A01574A42B0C4402CC5E514CA2531,SHA256=06EF92EFD1B8ED8D9D5E478EE021C3619617C1D83E8102DEDBFAD55B860BC016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:26.907{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10F0FDCB7E32C16704502FE302BBCE6,SHA256=18CB92281C2684CBE93BB2DD7AF79A8177D8F540B4AB1BDCA8C6DED7EEBBC024,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:27.940{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E15BAB2A8E4461E4953ABECE0D98F2A,SHA256=78DE7F2687CBA1B2EB0F0EDF97C98B16F266479C3111A98E0E0A7C4DCEBB1453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:27.986{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5ADFC5F4EA6CAB732B416634FBB57E3,SHA256=5D5837CE51FA107E2F8D7F5929D4494377C9AA8FA853BE0245D6A2C5AEE307D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:26.579{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54031-false10.0.1.12-8000- 23542300x8000000000000000838632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:29.012{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41CD703557401A39CAEE6E1EAF9978E0,SHA256=46B73FD4D57A2B63782306757793E0B2868C5ED487B84883345C902476EDB526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:29.065{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3517DA6CAB24458A4B2B92BBA3D9E6AE,SHA256=E57F24873D7D60A9C8A5B5B60F6D6F7B74A06C0AC278F03B150D745F34B9C3F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:30.151{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1255A14751037F9E73C66FD21DB52A43,SHA256=AC841FEA6B7CFD404504862844505DE785133DC806B9462246CC9DE0E705EF31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:30.081{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3753816A75FF537552F3748045527EC,SHA256=13677EC9D4556A603A7369E64896447C5A4DD6FA1DB9DC182FC696197524BEC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:31.244{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D455896A982187209F50FC2710D1C48,SHA256=13D60AF9E7EE6AD1A861A6C60C9EA1302271BBD895D9657A53F03A2EA6A4C195,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:27.857{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50436-false10.0.1.12-8000- 23542300x8000000000000000838635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:31.151{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269E751DBF67BCC001D27627867ED0C6,SHA256=3FAF41108ADE89B84BDECEE06DCEE58BB608785AF99ABE26F12B100943A9BDD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:32.331{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B43954C1EBF9370E3F3073DF605BD576,SHA256=24FC07EDE9684A37B810B9D05AAD85DE6AE0D7326B595B8A7904DB9518C70700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:32.243{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248EF69503AA921A15536C337B8EB295,SHA256=AE8F444FD8EE43E9432909179738E371CC17C0EDA9CDCE6D1281033EFAEE7228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:33.409{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DF3EF846617D73D46A11B4951DFF46,SHA256=99E31F77AB799C7E0BE52FA8D6104D864D2F0A88CD30C289B0C6D1A65AB68E1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:33.336{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23D643E263B75951D374323A8E183424,SHA256=31627454537E6DBCB6143E95F67E45A0C2A232139949D642B35E269D971D9CED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:34.499{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E095B64E23A304F97AD9C20616232BF,SHA256=7615B5A9CA2A9E838C7759333CBDE7494EE32438554F9905DF0E723347284D16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:34.413{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53457C9610A67043DF4CFB3A43B8663,SHA256=E8C9B9D00811C2204E40C747927173F6D8A9B335FAEE6BDBD61AF1C265A15AC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:31.624{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54032-false10.0.1.12-8000- 23542300x8000000000000000392218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:35.606{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E803381387F2F64E8A565CD44578698E,SHA256=C3CCEB09C457FD388F076B7ABF238237352689D949380F364DB7FCB621B82819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:35.496{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF78397FDA18381C9337EC18D8A70D49,SHA256=B182F591CE1C59C1FAEE4B7E708136AAA684943784336C786D742623FE0D8F23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:36.698{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7900E6BC2FA32F0F234B844154D01954,SHA256=53FDA99ECD56A5C545FFFE2FA2F4A1BD508B97D8AA9B3F6E1092437BA870F5C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:36.594{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A41C6789775676E8DFEDBDDB02D065B9,SHA256=7C86D7CDDE8040AC448D2957846FDA048D2C395DEFD617DA9C76B75602995B49,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:32.868{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50437-false10.0.1.12-8000- 23542300x8000000000000000392222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:37.793{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0E73626F3F4CE364FC30C3D6522BBE,SHA256=388667F25689BFFB627DDA581BFEE278E70B8C49FEE859BFC33EA160C9BB54BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:37.685{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=072015BA9112FF6E10D9AAAFE11588F0,SHA256=4FAD169593B7CA85B26104638A2C1A593E99BF15273B68254340C7EB4F409C35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:37.121{E56ECBBF-146F-6387-1300-000000009902}304NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2999A2F24CEF698EF5774989F3AAE6B9,SHA256=DCF4485AE1F796E4217F4CF893BA64D12C0701382342C64FDE9120E5E56C619B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:37.159{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1400A84FE1FF6425B6EB0A1823409C56,SHA256=0553837B277C5A6F070DB65B1C961B0D27E2D427A4ADDF3BBFD5E07E60C64DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:38.876{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3AC4153F9AE93B49C69297378521F1,SHA256=0EAFB7464294FF388F78859AFDE5700D5844DC64A29D73187C780B0084D7396D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.793{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 23542300x8000000000000000838670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.735{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15BBE8C549E7F4972325B137AF0B376C,SHA256=0F1D3493BC3B4779BD78DF2598D207BA7FFDF54C359281A8FE19DB52EA29F108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.304{8A63456F-1471-6387-1000-000000009802}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7273323F9F94CE66E70AA6EE7D3F93C2,SHA256=EBF1128001EDE05C8977431D320B5D771A5BE44113788FD674F8506ABD273D03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.273{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.268{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.262{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.260{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.243{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.240{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.238{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.233{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.224{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.217{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.215{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.212{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.190{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.184{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.173{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.167{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.159{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.150{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.139{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.130{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.123{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.116{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.110{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.060{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:38.057{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 23542300x8000000000000000838672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:39.834{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D82FA72D3E0EAF81B117A0729232E3,SHA256=1A424EABED93B1B6D94E52BA075799CDF45CAC1661C7E6C7FFB6AD3D149D3DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:39.970{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BB23939E4AFADF0F05FAE6A18BA66EA,SHA256=D96A2F97D5B8BB53A8601979D1C6C11B390CB4A859920D5164BA6A2286540B2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:40.903{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4638037D8FE0D91866A39EC8AB95CF16,SHA256=18E5EEA2B6255C04B8AADED675E603A1A54A4BC0FD1BA80F6B9004B27C683A4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:40.846{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:40.845{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 354300x8000000000000000838673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:37.519{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54033-false10.0.1.12-8000- 10341000x8000000000000000392227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:40.317{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:40.317{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:40.317{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000838684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:41.868{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41087EAFF22A73256C98AAAD59AD4C87,SHA256=F0183CEA0471B14C06248D2A12577E1E17AD58D92F561FE13C0BB862C97A4C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:41.046{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C0788DC33309360468466A6F8F1D47,SHA256=DB2164B4F7458B5A57EC57CDD43F2AF5C760317FB2E42ED3D3C39C4EE7CE95BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:41.376{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:41.373{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:41.370{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:41.368{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:41.368{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:41.365{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 10341000x8000000000000000838677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:41.365{8A63456F-147F-6387-3100-000000009802}29523788C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000016323810) 23542300x8000000000000000838685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:42.948{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B749182E269FC02946930AD6467F351,SHA256=A802BD36B2C30B49F805823995E796CCB7C2EAA42E4F69AE22753C7E0CE649D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:42.144{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=755E7F358C9795A4FCEAFEB8E3B95141,SHA256=CDE31A5851DB18D2C0A8E59761E3B8E3AF1533AF3F7526B333E4C96F30269681,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:38.802{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50438-false10.0.1.12-8000- 10341000x8000000000000000392260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.663{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.660{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.656{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.654{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.653{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.649{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.648{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.647{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.645{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.641{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.636{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.632{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.629{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.622{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.614{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.612{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.575{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.570{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.563{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.557{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.550{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.524{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.519{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.515{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.497{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.494{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.489{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.485{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.476{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 23542300x8000000000000000392231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.229{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C03389C5D5E9688FCEE23846451C93,SHA256=CE5263A5494E440CEB6B011CA186B1E7F68127EF0A314938725E7FD5B88D85FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:44.384{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6540EC4CF68E78E4D873DB2B57580BF5,SHA256=277886B2B7539DC59E11955685F2CAB1CD8D650605FAF8CC74BF16D641405529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:44.029{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1F0B6BA8FF701EDA5E7970F0412E474,SHA256=CD63CF825F6F1E84AC44C998DC5EE1FFC568EFA6FBE0E624A881A7D9DCE95A2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:45.466{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5235ADF3434A1B7292F3DEDDB46EC763,SHA256=2B0050E4E26A9B841F204C634E1157672A114A09F03A617CD86A09D52492A1B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:42.657{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54034-false10.0.1.12-8000- 23542300x8000000000000000838687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:45.111{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6005F5AFCCC4AAD0C924E9B1DAA1BC0,SHA256=AE34F5287778878CA5119DDA1BB53599B07317AD7677D1BE8E4650B54F199B27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:46.534{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FADF9C0689F5E0C12C868883A08F6A8,SHA256=2F880502344A4B73940F65BBB0CBC2AD1DA6345CCDA0200B7437F2E941B2453F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:46.199{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4CED89BE921693C12DA043CA4A5DC86,SHA256=1661171F8DB97B2A31B7B6E840A8AEFE8B567FD8F119D6B21CCAE8D6618A0BE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:46.223{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:46.223{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:46.222{E56ECBBF-146E-6387-0B00-000000009902}6441464C:\Windows\system32\lsass.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:46.204{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1E00-000000009902}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000392269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:47.723{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1548F386A423249BDB7CF7E07A79003,SHA256=8D868C0903D9127A9B3E7709E5E4315456603F18F03A18AF634677FC82F749EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:47.281{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=682EA953E97E187D279E71786788D12E,SHA256=88A6103D1EA1E4589767422AC039108B86ABB43354372E82153618765812CA5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:43.938{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50439-false10.0.1.12-8000- 23542300x8000000000000000392270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:48.922{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1B8EE31F20E11AFF04446A1F888486,SHA256=2C7BC4EF23FAD81D678B5BEC72215CDCAB100DA3A56CD8F676E51B5536E6E055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:48.377{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0070B530591B8720C541C0D9239D9708,SHA256=3BC101EC3F4EF673B494F7338A5DC79CAEBE7E644AD604B29AD6731B70436728,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:47.691{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54035-false10.0.1.12-8000- 23542300x8000000000000000838692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:49.455{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775DBCA9EED45CBE7ACC1EAEC59B2223,SHA256=CF5F3257A6A8884BF276C06A773AA4E2A9999501599E411FDD15A9301D476B9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.899{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2305-6387-5502-000000009902}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.899{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.899{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.899{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.899{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.899{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.899{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.899{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.899{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.899{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.899{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2305-6387-5502-000000009902}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.899{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2305-6387-5502-000000009902}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.900{E56ECBBF-2305-6387-5502-000000009902}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:49.571{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:50.537{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=631857BD7023C357A53A344EE7BD01B5,SHA256=9A586492FF89E7EF4A12E24E43B22A8F805B77D2025D8FCF2C6B0DEDB61DB191,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.558{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2306-6387-5602-000000009902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000392305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.558{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2306-6387-5602-000000009902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000392304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.558{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2306-6387-5602-000000009902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000392303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.558{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2306-6387-5602-000000009902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000392302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.558{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2306-6387-5602-000000009902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000392301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.558{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2306-6387-5602-000000009902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 23542300x8000000000000000392300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.545{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EF4C82E606D72BD414D8169C08E1278E,SHA256=63E3F442CFE1FE2DB4032DDC170B534CAEF4732CE45EBD41FDC2E7882F0C7ED7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.441{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2306-6387-5602-000000009902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.441{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.441{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.441{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.441{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.441{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.441{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.441{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.441{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.441{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.441{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2306-6387-5602-000000009902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.441{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2306-6387-5602-000000009902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.443{E56ECBBF-2306-6387-5602-000000009902}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000392286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.067{E56ECBBF-2305-6387-5502-000000009902}13642956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000392285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:50.050{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D07AFB634A8836CB22FA737DEA69ADCB,SHA256=36EC73B5AEE59AB3750DA49C281AD610CCACB893E22DBCB2E6A814CB4E53AF26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:51.611{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F083B62DBEE3B601EF453D7EACDB452D,SHA256=5AA480564425889996C0AF8A95DACC3C2831A335AFFD01BBC863EEF4BED53177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.559{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4C56A37652326BDCEFA774EC89CED10A,SHA256=35BB9A5F5D1713D4DDBE33DFE9554C0C5F8230511088CBAA724160EABA443E45,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:48.314{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50440-false10.0.1.12-8089- 10341000x8000000000000000392321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.465{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2307-6387-5702-000000009902}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.465{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.465{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.465{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.465{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.465{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.465{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.465{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.465{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2307-6387-5702-000000009902}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.465{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.465{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.465{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2307-6387-5702-000000009902}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.466{E56ECBBF-2307-6387-5702-000000009902}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.137{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B54B38E0781F7C3D49339026B9064F5,SHA256=8E73549A52B1007F4C8D6D897C034D53A8A24BBA8FD97AA4C0386A15403EAB37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:51.000{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D05D22CCFA580B31713AD1D6669E8D39,SHA256=194A21F16CD7C1AB4788DBC674385F171E90B51A2E266339AF09CA17FB6F485A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:52.827{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:52.686{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FCB2DDDF4355E91E759C4452F43757C,SHA256=B367290A7A65F95DB8AF26F43A0179E217CE6E4C8C9B1D9BC79570AB175AEF15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:48.966{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50441-false10.0.1.12-8000- 23542300x8000000000000000392324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:52.217{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0262F77E25D969B34D0A8C09A1A7C5F3,SHA256=317071295C60845661D59772EE0BC5AC4DE43B45A0AAA45202C4950B6C1C5557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:53.780{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F375E8F30DA3F4E9DD0973D2D404964A,SHA256=5CF6660C524518196684D0FC00C853B2E2A98A92F0EB7AC607D47224CA23CE95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.883{E56ECBBF-2309-6387-5802-000000009902}40923696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.724{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2309-6387-5802-000000009902}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000392341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.724{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2309-6387-5802-000000009902}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000392340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.724{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2309-6387-5802-000000009902}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000392339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.690{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2309-6387-5802-000000009902}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.690{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.690{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.690{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.690{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.690{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.690{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.690{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.690{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.690{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.690{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2309-6387-5802-000000009902}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.690{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2309-6387-5802-000000009902}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.691{E56ECBBF-2309-6387-5802-000000009902}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:53.299{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5EFEABFF1B50E0410833A60F1E1A77D,SHA256=38BDD220D5140B852C81D7C343242BCFF831114DD5B55A261967FB5DF223BABE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.551{E56ECBBF-230A-6387-5902-000000009902}32522304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000392357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.394{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F35E90F24A9FC3AE4190A463A720DE24,SHA256=22FCAD3A851EB690B858097D53EB033B8EEA1743E95CE0B22B3837B6F98BC801,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.363{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-230A-6387-5902-000000009902}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.363{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.363{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.363{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.363{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.363{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.363{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.363{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.363{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.363{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.363{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-230A-6387-5902-000000009902}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.363{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-230A-6387-5902-000000009902}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.364{E56ECBBF-230A-6387-5902-000000009902}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:54.856{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B905AA96510AD2D81A628E59035E1496,SHA256=E865BAEE4694E50D5F406A7BDB7B92E4E5AA3B95A31AA546FC75A5B49BEE3108,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:54.825{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:54.825{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:54.825{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000838699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:52.255{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54036-false10.0.1.12-8089- 10341000x8000000000000000392386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-230B-6387-5B02-000000009902}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-230B-6387-5B02-000000009902}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000392375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F31E0EE2E1B75C73A1FBAF23607CC6B,SHA256=BCED44C416FDEB8FA8C425AF3335228093447864DBE58A0A467BB1D7615D022E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.967{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-230B-6387-5B02-000000009902}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.970{E56ECBBF-230B-6387-5B02-000000009902}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:55.855{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5D69D73A216027F01665355D900B31,SHA256=E747076FBAE1BBF4DD57155A70BAE73A25FAF166ED67C812B31EEDCBE35480C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.237{E56ECBBF-230B-6387-5A02-000000009902}39561884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.024{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-230B-6387-5A02-000000009902}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.024{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.024{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.024{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.024{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.024{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.024{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.024{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.024{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.024{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.024{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-230B-6387-5A02-000000009902}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.024{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-230B-6387-5A02-000000009902}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:55.025{E56ECBBF-230B-6387-5A02-000000009902}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000838704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:53.583{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54037-false10.0.1.12-8000- 23542300x8000000000000000838706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:56.942{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9129AA5C87BB2797AB82473E719471DE,SHA256=823F8E233E6AB9715A3686CDDD8846E32362F5B452FCE44FAF4A915B37D33E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:56.114{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4E5E68321DB748CDE416F36A1537196,SHA256=885CF60701375D5337A13B68367B76C975BC93CC84F77F38003D3A1AD2895763,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:54.945{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50442-false10.0.1.12-8000- 23542300x8000000000000000392388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:57.015{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2DF6C3D34A6B9EF6E68A90C0678355F,SHA256=B55F2E3AAD2DCC4CD5E86DAECE2D24961768B03C596E21CF69E9DC7DE389E7A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:58.123{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B7B45CE3CFA263F771318FCB491E69,SHA256=A2AEB1C82EE8D3BA9F7A94329CAB0259CF30043E14791C6C420671EBCCD0EF2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.676{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.261{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.257{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.249{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.243{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.223{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.220{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.218{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.213{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.207{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.202{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.200{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.197{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.172{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.163{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.147{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.138{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.129{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.120{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.107{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.101{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.094{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.084{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.075{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.050{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.048{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 23542300x8000000000000000838707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:58.018{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EAA59CB7D008B59355A6FB69757C2F,SHA256=F076FE64881C1C89A4C1F357668B7D5164BDD81A514048BBDEF88B3CE1AB62B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:59.209{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=596F23E0C9B95DFE3E65777AA49E7C8C,SHA256=065DF80AFC33E94F6B98B4D978FA050A97A4E82C4179F0EEDBC3A87C8B874885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:59.059{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D12F7E4AAF4BC7D2478DB23589712A03,SHA256=11538EBACE666DB74B399CAD74A04BE53F9B4978965BF717DC8FA0857D309C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:00.304{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF94592647EDD9FB8FE5B83F90BCE60B,SHA256=468CECF8A567C429E6EEF70DF091B55E011619CC8CCA10BEDF109887A7C1647A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:00.713{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:00.711{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 23542300x8000000000000000838735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:00.140{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=222419E5F8BE9E91ED28F7D76157FA4C,SHA256=0E4F91810E71B82D21431A2A35A95D1D13A548CADE30F4283165452B6FB9B4EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:01.389{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EDFA9591AD57735E325EAA0F195D9F6,SHA256=74807FB61627E66EBE6DD034113308F0E6CB9BF0ABC9E8D0A8ACCB1A6DC46852,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:01.849{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-3100-000000009802}2952C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000838746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:59.539{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54038-false10.0.1.12-8000- 10341000x8000000000000000838745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:01.238{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 23542300x8000000000000000838744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:01.234{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A74FAA0B11695DC0C761FC65CF4444D1,SHA256=2D34D8FC54291EDAF6CA3F069817EAEFA2F4FD97A755500C6EF14A7E506CB02C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:01.231{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:01.228{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:01.224{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:01.223{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:01.220{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:01.219{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 23542300x8000000000000000392394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:02.462{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2767DF2E8E674034AABAE175AF2CC47C,SHA256=965BC152F9D4A2438CC4DE1B89DBFA7B4252E008C769B89C83DFE890E93401C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:02.314{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F013E3DDF3E2401F7E12C5B24ED8A2A4,SHA256=B73AC9B8964DA12302E7FC7D1C1BD71FB6320AE3CBA51868F3E3CBD3F670EC4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:03.396{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F78A16A66F209D004C82E94D7F7BFC3,SHA256=09EAAB6BD432FA368770201123EC9CE1921EA1D250E121CDD6423CA265A98206,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:59.991{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50443-false10.0.1.12-8000- 10341000x8000000000000000392424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.634{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.632{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.630{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.627{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.626{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.624{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.623{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.621{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.619{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.616{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.614{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.609{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.607{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.600{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.594{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.591{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.581{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.575{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.568{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.557{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.548{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 23542300x8000000000000000392403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.541{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07CF440728708959BBA1928710C7220C,SHA256=FE4FCA90FBAD02224BC4042A1D0C28A83A021896C56750F47577050FF2D78137,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.519{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.512{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.507{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.500{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.494{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.487{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.480{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000392395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:03.478{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 23542300x8000000000000000838750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:04.480{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA58F1ACD6E9E6C50B8151B2441B179E,SHA256=158EED0D6BFB3316CEE093C3034D41C154D839C0C8FF301AF6B137B46FD5B5C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:04.638{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F13FB1C1E2A4FC55534F9AF4D19C32,SHA256=E56B0B95ADB8CAB271715486D4897FFEDABC76A88CBE87EFF28686356721C3B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:05.722{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5FEDEB86540220D7B45298BCEEA82E9,SHA256=B6B858002F1A3C18698FAEEF95FDB4B596F6DACB9BC096B0AA2D5678DA483183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.850{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B5EFA16ADB11D9D83804EAD2DFAF66BC,SHA256=75A43280538C5C4B5014C778B0E56AE0FF0261569D32CA4B240351815923A3E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.825{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2315-6387-5B02-000000009802}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.825{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.825{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.825{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.825{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.825{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.825{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.825{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.825{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.825{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.825{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2315-6387-5B02-000000009802}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.825{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2315-6387-5B02-000000009802}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.826{8A63456F-2315-6387-5B02-000000009802}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.578{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F66E0E0E89667B20740A397F9D4E9C39,SHA256=4948D20310655BE1566E8C4549387211B6F4949352F9253BC57F91E4CCDF7F5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.351{8A63456F-2315-6387-5A02-000000009802}38644456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.147{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2315-6387-5A02-000000009802}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.147{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.147{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.147{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.147{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.147{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.147{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.147{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.147{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.147{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.147{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2315-6387-5A02-000000009802}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.147{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2315-6387-5A02-000000009802}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.148{8A63456F-2315-6387-5A02-000000009802}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.973{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD7661243EA124C7BB8B1F6F0E38841,SHA256=4A3BB3718AAC009280B9C45850F6C07E22ECA9A53C7A7B49BCDE366F328CB22C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:04.560{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54039-false10.0.1.12-8000- 23542300x8000000000000000392428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:06.811{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC98EF88277FBC9CC407F31261628C44,SHA256=0C8DFCEB3B0B2758C95DCF0F1C2650797B1B1B4AA621B1EE30A0E520F7B5C3C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2316-6387-5C02-000000009802}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2316-6387-5C02-000000009802}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2316-6387-5C02-000000009802}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.507{8A63456F-2316-6387-5C02-000000009802}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:06.179{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D219632E1D93569684AC320D8CCB10C,SHA256=E212121498D80113FA60C7090359121ED6A9BC8F4637E398D9E88833949928A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:07.948{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F008B49B2D135F8A7E45DA114737B9,SHA256=5B152357CFE7960C052472D736D76BF1A04CDFF20A87A16578A03F1A2A0F7EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:07.891{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07FD30E18FE16FDAA6D65E587536B395,SHA256=81EEFEB8BB420C49681BF1126468ECC55E9798B4EDB1FC504314ED0A71D293FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:07.294{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5CBB72C1CDB56134B38D2C401A5C171F,SHA256=58C505EDCE7C978957C8843AC35824C2EAAF783B2708662C1E36C056F1020B6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:08.974{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC147F368B1F7EE96A36371D8C1873D,SHA256=B6A44EAA659B9603EB4F3CE3ACB8C2BFCBCFD8E9CBD84E8E66FBBFCB2FC1768B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:04.992{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50444-false10.0.1.12-8000- 10341000x8000000000000000838813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.809{8A63456F-2318-6387-5D02-000000009802}49922128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000838812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.795{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54040-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:05.795{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54040-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 10341000x8000000000000000838810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.537{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2318-6387-5D02-000000009802}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.537{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.537{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.537{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.537{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.537{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.537{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.537{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.537{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.537{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.537{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2318-6387-5D02-000000009802}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.537{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2318-6387-5D02-000000009802}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:08.540{8A63456F-2318-6387-5D02-000000009802}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:09.965{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3DF298C3273DBEE0E642822AFB725C,SHA256=A2CE94B4EC74090246848736BB5F6F78C93398AC21DC74C286F6C8EAE14FEBE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.908{8A63456F-2319-6387-5F02-000000009802}2308948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.877{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2319-6387-5F02-000000009802}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000838843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.877{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2319-6387-5F02-000000009802}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000838842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.877{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2319-6387-5F02-000000009802}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000838841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.704{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2319-6387-5F02-000000009802}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.704{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.704{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.704{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.704{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.704{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.704{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.704{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.704{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.704{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.704{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2319-6387-5F02-000000009802}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.704{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2319-6387-5F02-000000009802}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.705{8A63456F-2319-6387-5F02-000000009802}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000838828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.240{8A63456F-2319-6387-5E02-000000009802}6201160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.052{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2319-6387-5E02-000000009802}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.052{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.052{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.052{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.052{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.052{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.052{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.052{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.052{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.052{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.052{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-2319-6387-5E02-000000009802}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.052{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2319-6387-5E02-000000009802}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.053{8A63456F-2319-6387-5E02-000000009802}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:09.037{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D1C751D89D5710E7B536A7651EA652B,SHA256=2E5C3C57CD3C868EFDC291319B2882172FB81BE03BC50C5D16B7ECC2C4121B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:10.293{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA592E4C8B38F4BDA16639BAFA4DD07,SHA256=438E2AD710D611115265A6C55F5E20B04EADCC053A6556CD68EF96C3B6C2B472,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.870{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-231B-6387-6002-000000009802}1288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.869{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.868{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.868{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.868{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.868{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.868{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.868{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.868{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.868{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.868{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-231B-6387-6002-000000009802}1288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.868{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-231B-6387-6002-000000009802}1288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.867{8A63456F-231B-6387-6002-000000009802}1288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:11.443{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1FAD91BC65CDC655D5AE23F79150CDF,SHA256=5AB4E0EB8B5290A0A49A7A5386CA307806E448EE986C039774C6B0C83350BAFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:11.067{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5C4AB5C0EEA225037576D7A78B7C20C,SHA256=8372CDD8A819B26A3C85DB64B28441F116F7081CFBED36485BDA204250F64CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:11.003{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\respondent-20221130082938-060MD5=1A32CBE424C0FD56A19B8799D3C64243,SHA256=EA6D997F19314B6150EFB9A20554F04E0A1C60C572E1FF9571FF112B025B3E6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:12.946{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BE17A51A936B3F18BC8C92011269EAD,SHA256=854EAEF2F4B7F70605582EA40649CFFEBD4C2DED829EB6A9F5D37805B798E3E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:10.559{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54041-false10.0.1.12-8000- 23542300x8000000000000000838861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:12.519{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81D82BF91DD1EA656CAFE350216F5F22,SHA256=5CA0250D885B90D10974A56AD6C9B8C5A1B1E18C87794891616BAA725D2028B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:12.022{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F9EB66FC41AE6BD12CF5BC50A2673E0,SHA256=EEAE33DF2F419190E7308BFF885DCCE7A706BE0000B64B7BAEB9E5F3E8D4FB26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:12.016{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\surveyor-20221130082936-061MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:13.617{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03421D9EA4A79799F18A683536AAA2ED,SHA256=B12CC5965AB5BB399AA4EA510F997019298E9EEB481EA036C00DE963C144BFA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:13.122{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=462EE512A86D50371F623C1450260221,SHA256=8A2732AAA08EFDF9678A692278A5999986E112D3F409EDAEC40E4158389A90AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:09.992{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50445-false10.0.1.12-8000- 23542300x8000000000000000838865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:14.692{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2BD09E7C135B4ECDF912B4984F05B2F,SHA256=06AF5A197F1D368338F939AFC7AAB134BC116761A478B1B195AD9B5FB008D532,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:14.099{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12DB1DD0EDE2FA08F9EC9EDD0F966043,SHA256=40177A5E1AF0F510F4F1EE50635F364C15539A2A8E4AE3E5F3009780E8ECFDCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:15.775{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58D85A7FCDE9C8A6CBBDB6F65BDD30B7,SHA256=0A68ECF6448B5AFB02B0108DD8C62A7331ABC1C671B1E8521B2B62C62C5685D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:15.164{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C40ED6CA78C7BC7E2079C10A017271,SHA256=BA10A784D03422E26AD96FF432DF4CA982BE1D9CDDA1F3501D628F285C2E2152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:16.859{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADAE8297457BE3D09759A864E34131DE,SHA256=4E49DC130128A80D86A8F11745B01A8F1D9ECA5CD0BB2281C437706D1D9B7E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:16.235{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C45DA05852C0418C7AF514ECE20CF1D,SHA256=D4056D710DD904F34374673FD3CCC35836F3ECFE4D7C2449240EF81E702A741F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:17.932{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00E39EEF69A27C2CDD4CD2EAD7ED5CA5,SHA256=B79C3122206202E292699DF59471A9797A9D67274824B03B3DEB7151A5C91DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:17.334{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5894B9DDAB682B765CF37389A1AE39E5,SHA256=F09416C57ACDBCCB679C61B5FC8E61A7231B4FBCEE7689579126E238B21EB416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:18.415{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F6ADD96137F5D3A601F17497D02D01,SHA256=A9B4093ADA981402F39010595EE743EF9BA1A37FA71DE6E1209FD8D3018574A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.887{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.392{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.383{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.367{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.362{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.320{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.315{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.306{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.297{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.287{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.283{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.279{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.276{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.237{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.226{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.201{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.190{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.178{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.164{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.155{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.148{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.141{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.133{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.123{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.068{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:18.062{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 354300x8000000000000000838869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:15.641{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54042-false10.0.1.12-8000- 23542300x8000000000000000392445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:19.507{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C22E791734E7D0280667BB872EC0A929,SHA256=65E41251AD25B32AA1A77C775BBB3CBE256EBE17C5D710D3919B8C379B2517A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:19.198{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8085DF174B2D31BE1C835416E84A40DF,SHA256=217F6B8D6C946767E33FC877780C567B8F54374B3E9FEE7D60665117C6EADE37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:16.014{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50446-false10.0.1.12-8000- 23542300x8000000000000000392446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:20.590{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFBCB4C8F9CE820213DDA61BD51ECCA2,SHA256=8EB890D3B7BDDE50892447344B052D8403453872C7694A259B34A39ECBEEFEB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:20.931{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:20.930{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 23542300x8000000000000000838897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:20.459{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863371C2445253C3D5D6F3384A247CEB,SHA256=0224C34D02D1C1DC34C165661D3B611AD6F2C7A82412950BC4975D28B16D87C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:21.910{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=977A0D2BD7BC36B631E6E714CBA59DDA,SHA256=57282C01840E5D13C9EAE472B0F782F0058B0A963ED3120703BAEFD5211D34C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:21.669{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438B27C7BDA3165CCE014437CCE1B61F,SHA256=769AE41696A30D9A79A3C06730C55132D823C3A65E4B3B00B5F4CB846CBF6138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:21.546{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F171C364D440687A17D7042775311F64,SHA256=A024EBCC4E1E53D960FBB61455885E03CA2DD69DB76CAC5A900E54A4FB4E8629,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:21.452{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:21.450{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:21.445{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:21.443{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:21.443{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:21.440{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 10341000x8000000000000000838900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:21.440{8A63456F-147F-6387-3100-000000009802}29523536C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E190) 23542300x8000000000000000392449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:22.740{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B0E75D07124335D30837F3C269A75E5,SHA256=B646F2D288D09E0B5A7585E07A1B8C6423A061EC3D9B9260E444B4BE050A54DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:22.631{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473DE7629DFCEC630725E4A34E34027A,SHA256=65E0F4630BA5F0AF3B6CC1EC316FE5453FA9530A3924824C75216E7D2524EFD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.812{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E707F70CFD966D195DD229F9F28BD112,SHA256=862450B18CE6E213A23A01A9110E4DC0E5A21175B4FC055E34E32887D7021C4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.767{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.764{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.761{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.759{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.754{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.750{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.749{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.747{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.743{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 354300x8000000000000000838910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:21.658{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54043-false10.0.1.12-8000- 23542300x8000000000000000838909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:23.706{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=802682AE5364B7D0588EBC6375A3E1BB,SHA256=7B69A2D9CF1979F96EA75133AA14B80E922CF10CFB862543CD119244C713D9A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.739{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.738{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.733{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.730{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.723{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.716{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.713{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.692{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.674{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.658{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.644{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.627{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.576{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.562{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.549{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.530{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.519{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.502{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.482{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x8000000000000000392450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:23.479{E56ECBBF-146F-6387-1E00-000000009902}20202444C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 23542300x8000000000000000838911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:24.795{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F78DCF68E291B0C62E4A91D7F843B0BE,SHA256=0773D71A1FF06D84E07315F292CC55F064E712CBA84EB1E49C025F344067A8B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:24.790{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442AEADDE8CC2CC2821C3007C72D25F3,SHA256=66C1ECEB75788516790C84FDEA3BBD5BF64C08DCE0717184EBE79341B18CBDCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:25.870{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB9AD758FEB0089BB3F43205A4AAE20,SHA256=1F2267CD178BC8F36347BD908A8E1D86DBE6D0392BBC730CD6C7DBCCA1D86CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:25.873{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E65D15F33F44A4A6A62D1FC4B71ADA85,SHA256=4F9EBECD29C47BD1039DB7FCE75E14F5D6BDC025FB0645057668FBF73B31D53B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:25.380{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\respondent-20221130082953-060MD5=683651717EC8DAC081C38E211BC7EBA2,SHA256=5740F9BFEDA541BBB683F557CBD7668BC17497F3A3A4C7CEA871290E93407AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:26.963{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6493C9CD657F7884FB7AD7C663D8F604,SHA256=67490671C59C5FC5C7CBC6240A5D8C653105073182A0274AE3B334038C87A171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:26.943{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35A6076BEA6502C8E58598B0ED5BF070,SHA256=DB3DC625576B9A937457260782874FFDF9E0431D51DF3D86C51B9BDB8FA4DF3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:26.386{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\surveyor-20221130082951-061MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:21.854{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50447-false10.0.1.12-8000- 23542300x8000000000000000838916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:28.016{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C9BBF13FA9EBB0641727DF28E3F61A,SHA256=4D7D0CAE1FFDDF9CF1B705B9EE5139871F8E1C07929D3084EA5AD4B63AC95719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:28.051{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C0C9CBE32DAFECD0C74F4F9CD232F3,SHA256=09284D976F16CD86D9174212DAC1FFFB3F492E0B53272E67BB1B820B38C2DAD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:29.138{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD18DC6C650FD18B7DC419C59527E533,SHA256=8163ED32CF43F030267C0A8D3B987DDEBC8E475C1A350D5347518A5F086BC0E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:29.081{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=646687D5512DCD4C29828C43E551D88C,SHA256=881DEA4473BB77219714EA8B56B4BDAAA02EE8109DA864F79AAD9C92B5F14577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:30.231{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CBE5FB2D91ADE3506B605EA9EE82DD3,SHA256=D21D24EDE281E5A2D87F8B08E93BE9186B6CB68814061666AC2E4484EF09D7A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:30.160{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5519E0171FBA90A7C97BA45DCD6415,SHA256=91CDDB6FAE41903343CB7012C546AB3E59325627199425B3A0D0C3D58B329661,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:27.501{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54044-false10.0.1.12-8000- 23542300x8000000000000000392488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:31.317{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E185281DD746355C5DE030078892991A,SHA256=CB5C739B52C21B642A2C07447DA8FF2DC31788BA151476D09EE505E1CEAC9773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:31.138{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F8924DDA54275727D5683320106D8B,SHA256=CBC29A20564D467B3B0FFBC4C86E69B2AB87C6F701BD0558886ACFFD7FEED464,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:27.880{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50448-false10.0.1.12-8000- 23542300x8000000000000000392489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:32.401{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F30C4786AE09BD7B6307D6916DD77E2E,SHA256=129C2CB9C856493C6FFC64041209F747EFD4754C70A9AA74F7C41F91589472C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:32.198{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADCB86391BAD79D01443B23DA4DE061C,SHA256=97CAF8B53411CF0B074507E500D672108276C149550A16876EB2BE97C7F65098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:33.475{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8032967D9BA8C78A40C08C90531F4B72,SHA256=EBD590A3AB8D1883A403E53D03598D19EB85C34465EDF86D0083EC11ABE003E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:33.285{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3CEF59EE778D01ED39739DD256B8A2,SHA256=57D55A73A3F4E55356A2134173112C07D25B4C6A2ACB1ECAD574A3A75FFBE187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:34.560{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25D126E245D991D3D2A860BA9129F6CC,SHA256=272227A1DCCD2A058F067E8FE1327A298B59736F91DB24078575A7F98A44E406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:34.365{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EA49FB7F85DC8D04FA2B7CDEDD2CEF9,SHA256=C894C9A71C28F20FBF0AAE92E51ACF9504EA705A890D1F1E49E81CFE06F64ACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:35.639{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F2A2AAFBE0CC14C92971FA6BF62C5C,SHA256=B7189996E6814AA492917C54E5266F734C7F75A294EBDA0BE9DC697674C993E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:35.446{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A69E98EF70C8AB02DD66DD07F050B57,SHA256=038549528ADDDFC80E92FF0ACD075704D171D77364FF95D30184D7227EC3927D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:33.511{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54045-false10.0.1.12-8000- 23542300x8000000000000000392494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:36.722{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB193C44625860DF1B4025EEACCFDE0D,SHA256=3E5E8A6CBBA42D408958A8389F0675D1B1988197900B7C72892AB6C80D2B6350,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:36.528{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3FC7EDC41BB18A057FF4D9A7B719B8D,SHA256=032365B7398F6F6156717DC9C4302545A4D91BA02FE2863674A57F84459E7F13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:32.975{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50449-false10.0.1.12-8000- 23542300x8000000000000000392496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:37.801{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B04FE1A25322C1B55F7A268072CBB0D,SHA256=FF7BB255A7967514248CACEC2754B969CD36496BB5637A78DA67B22CCA0C9856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:37.611{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023B4A25A44E393D9AF04307FCA8F87D,SHA256=FC66AF67692EA98C61C71E6F2C972206B2D8FB266CBBDDED60A98D2C02E6EA54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:37.138{E56ECBBF-146F-6387-1300-000000009902}304NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F2173FABF67F0F66665DF64640D6551A,SHA256=6F140F4225D3513871C8A4A5D8CD87B6CC0F7535BF620755A4483AAC61BD305B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:37.492{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=971BDC1A2C39F9D3D4622D9F5C423972,SHA256=8AC07F4DD1069AB854F6471D9C28E40476475ECEAF0F15D394571BE9C934D35C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:38.875{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA7511BD41EFC78B318CDFB407D8A083,SHA256=5A097B9BCB37790057C4F1B7946096849C015E2C56E397C06264198E1CAE348C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.681{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000838955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.656{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE82B92B70BD2C96CA7F4598374CAC51,SHA256=2E8630411E9D08077E3FC1FBDAB902DEF3B7A9869D35459DE5A9638D81D44028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.306{8A63456F-1471-6387-1000-000000009802}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5868ED640E0FECE794C8166F441F1E95,SHA256=D40CB41BDDD7753844790AA56A7F268B5250E1D765781C1C64E78335A12F49AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.269{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.266{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.259{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.258{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.240{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.238{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.236{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.231{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.225{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.222{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.220{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.218{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.194{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.189{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.176{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.171{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.165{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.159{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.152{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.146{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.131{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.122{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.111{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.054{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:38.050{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000838957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:39.733{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E89FC18D707A57E7DEE75C3ACCE44326,SHA256=F915C4F7BAC4A4BE38D78DA91633CBE7E205D34FAE597AEC2CD09D39D8DB07D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:40.802{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD38821DF003E30D88F2F6184CF8771,SHA256=B958DC1CFEBC2B26F773A771BEB313AC1FCB23EE482D3031C89ADB1E2F946F9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:40.061{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0CF7DBF76C461CCDCD1D5EF99A6BA30,SHA256=D8D574D1D5BB1AFBAFA36BA426AD4F944388F8CDB7A71EAEE78C4A67DD3ABF0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:40.727{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:40.726{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000838969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:41.879{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC70A96191A886AEBC76E7FBC1812344,SHA256=70F71BE98FFAB8CA9DF3D0424F2722C97151C82AF3CA43829DD13453809308D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:38.803{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50450-false10.0.1.12-8000- 23542300x8000000000000000392499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:41.132{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0ACE0ED966284E93A693677D65A6F8B,SHA256=92F9CBAEC10B2F3211FD14E61192DAF0198ADA599B31130386BCC8EBC3DA7265,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:39.522{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54046-false10.0.1.12-8000- 10341000x8000000000000000838967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:41.251{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:41.248{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:41.246{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:41.243{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:41.242{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:41.241{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:41.241{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000838970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:42.962{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018EE3AC7AAD7E7BD3119500FF5CA611,SHA256=86A125DDE8C84C5DC09BCE958C07F23D8829F46F8F174E7DEC385A199161B6AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:42.219{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC1B1B34A423EEC92ED8D73503E5CBA,SHA256=F1697B464DEFCF3B944B6722B3C33CA347874523E065075F226A601FF546BD98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.670{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.667{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.664{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.662{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.660{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.658{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.657{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.654{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.652{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.645{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.643{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.636{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.630{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.619{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.612{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.610{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.596{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.589{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.579{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.571{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.565{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.543{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.537{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.532{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.525{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.519{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.512{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.499{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.495{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 23542300x8000000000000000392502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.302{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F714B65FD489CEEA96FB8ACBFCFF87E,SHA256=3F3AF08B27DAFC3E8EEE84927F115E35AAE743A2BDCC8043E9C895365D165022,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:44.415{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8763B3B3C1E2A2742346D376220C961,SHA256=4B841499B764F314B37186C974C3A274EAC1B5B29BA4C21798F38541B5858898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:44.050{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8829DBF7C8A211EDD85AAFBB3B842A18,SHA256=3B6B910B52369CCB0DEE8EF372AFD16457D8AD47835D76D6E9DAB83716B97C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:45.468{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=091CDCA54D3E82E2A2379B53477A9063,SHA256=B7BBCEDB410E199C7ABD0812522E2C3DA14EA4E45C94163B4E6F8F484ABE9682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:45.130{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097381643432615D5125C86530352DFB,SHA256=9A918F9F1EE87DEF02F6C3683E16597BEAEB19BAB7FEB709B68931058DEE8F39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:46.537{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7695C02D7CD39FA6AFFECD697FF66CD9,SHA256=03EE9DF161AF7C414D68A53DF32D6EE56E106ED17DA7F5845B82AAD91EB9E25D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:44.529{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54047-false10.0.1.12-8000- 23542300x8000000000000000838973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:46.215{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB755F19A8B698A10E700F07A66C733,SHA256=4723D2FC5C32E1045B5F1FEE4024B64EB5DCB70F81E57DEE38E455CCB0208269,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:43.953{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50451-false10.0.1.12-8000- 10341000x8000000000000000392537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:46.227{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:46.227{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:46.226{E56ECBBF-146E-6387-0B00-000000009902}6441464C:\Windows\system32\lsass.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:46.212{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1E00-000000009902}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000392541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:47.620{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0AD078144EF5C6D4454235517E91A6,SHA256=3558D2831E5F53DAE4CD1F89251C228A5FE837FE168774C09C0B171457A23DD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:47.301{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3144884F99A523F51BEF30A142C6DEE7,SHA256=713EE449962A0EA846F0601B7306DDEE8661E72738F1C5AB6701D816A8844E40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:47.219{E56ECBBF-146F-6387-0D00-000000009902}8001736C:\Windows\system32\svchost.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000392542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:48.687{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CD339FF67761BF07BE8B09C0384890D,SHA256=5F3C788FF11BEB9E2D0A0CE0FB893D6F701DFFB01FB3F29EDCC38BAEE0C712D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:48.386{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE598200FF89484071F6C35B97CAFB6,SHA256=047C01C20406DB6CEC5E674CD44749F2FDDB807E5802C6596BC5F79E468C2A29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.913{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2341-6387-5C02-000000009902}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.913{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.913{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.913{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.913{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.913{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.913{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.913{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.913{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.913{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.913{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-2341-6387-5C02-000000009902}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.913{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2341-6387-5C02-000000009902}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.914{E56ECBBF-2341-6387-5C02-000000009902}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.772{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9C65297B38B13FF3C7E226BF1A4D523,SHA256=C902633390E6FCBF98BFC8AE8A3B401D2352ECA67B9C3846DF36CABCEA93A57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:49.474{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB2E409955022598D51745E340D426D,SHA256=76443AC88B8CF9E12C954A937114E1EE6C9031A4A4398B3ACA4844A78525451D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.600{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:50.564{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24EA5EBC87941FBDDD4F337638991EC3,SHA256=3796F0CC14FC47FD72EC3A341D1F024B2AFF4B127F4D4ECEA37008D9839A9EC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.638{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2A3D9FDF47DFCE1E96721C802CF2617D,SHA256=775367FC659172CDA5836F6C3D608B19406B9C3AC8A10A337D7600499BED97ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.598{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2342-6387-5D02-000000009902}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.598{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.598{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.598{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.598{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.598{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.598{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.598{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.598{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.598{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.598{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-2342-6387-5D02-000000009902}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.598{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2342-6387-5D02-000000009902}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.599{E56ECBBF-2342-6387-5D02-000000009902}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000392558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:50.079{E56ECBBF-2341-6387-5C02-000000009902}26081640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000838979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:51.748{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407C2F5BC6CF12A28EBE661B00F1DF53,SHA256=91AD73BF282C242B39E599ED269D2A1B47A3981747C9AFAD7EB8822B9ACA4E33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:48.343{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50452-false10.0.1.12-8089- 10341000x8000000000000000392590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.598{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2343-6387-5E02-000000009902}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000392589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.598{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2343-6387-5E02-000000009902}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000392588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.598{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-2343-6387-5E02-000000009902}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000392587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2343-6387-5E02-000000009902}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2343-6387-5E02-000000009902}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2343-6387-5E02-000000009902}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.477{E56ECBBF-2343-6387-5E02-000000009902}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.180{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4796BF1FD5B5B00FE2578C72C6A0F3E0,SHA256=A5D89248EB3BE2DBF5E0C73C78906E0518DBA42D16D300EF76135F02ED538332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:51.109{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=423FED269E0957498E7FA714F5206E5B,SHA256=3305B2E25896380E3A04B6B9F0FEF77FFC4D66BBA63D8F12926BE774BDE5F177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:52.843{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:52.843{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDF5D73B26A2F325C86AC0C86CC26DF2,SHA256=8BDF71B81B367C5D9A66A840A716488551184A84FA4874B6F926B3C053E882FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:50.544{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54048-false10.0.1.12-8000- 354300x8000000000000000392594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:49.906{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50453-false10.0.1.12-8000- 23542300x8000000000000000392593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:52.161{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF26DA4B02455E9E7FC8499EB553430,SHA256=20B7C26329F3ADFC67C5B684F3AECFBDEBFD6F436E2F0C30878C791C5E94DCE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:52.036{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E7937D111424D5D86C1D9E12B34EF911,SHA256=59136E25232F309EBE0848483A9E7960545456E105B5FEAAAB9F764C81E22ABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:53.917{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D99E48D81BD0D5B06D3BC5666A9D8B2C,SHA256=0FD92E19B6FDD564F921E6A9D502C239CDFF01745EA596DBF444A01882BA5D5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.875{E56ECBBF-2345-6387-5F02-000000009902}36882996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.718{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2345-6387-5F02-000000009902}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.718{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.718{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.718{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.718{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.718{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.718{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.718{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.718{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.718{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.718{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2345-6387-5F02-000000009902}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.718{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2345-6387-5F02-000000009902}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.719{E56ECBBF-2345-6387-5F02-000000009902}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:53.224{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B702EC174E88A9A204E936D177E88E8,SHA256=9E588AB08AF2DE5353BD183C75EAFC71CD17CDD92FA7FCA8584DD96E481709C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:54.996{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB55A2FF02823F6F608A2C8BB3439CE,SHA256=BFA11CBD1CD9173F29C3F3BC04829A629BD14B6A8977052608D119D9E7320A05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.993{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2346-6387-6102-000000009902}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.993{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.993{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.993{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.993{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.993{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.993{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.993{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.993{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.993{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.993{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2346-6387-6102-000000009902}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.993{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2346-6387-6102-000000009902}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.994{E56ECBBF-2346-6387-6102-000000009902}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000392624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.557{E56ECBBF-2346-6387-6002-000000009902}25121912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.385{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2346-6387-6002-000000009902}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.385{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.385{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2346-6387-6002-000000009902}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.385{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2346-6387-6002-000000009902}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.387{E56ECBBF-2346-6387-6002-000000009902}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:54.322{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CADDE4F96D7FE5ACC7F83A21DD23D68,SHA256=C57F447C2653DFC5C4CBC17B3E2A7DA61FCE7B488D2E567D402C02226B543185,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:52.272{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54049-false10.0.1.12-8089- 10341000x8000000000000000392652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.974{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2347-6387-6202-000000009902}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.974{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.974{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.974{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.974{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.974{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.974{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.974{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.974{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.974{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.974{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2347-6387-6202-000000009902}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.974{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2347-6387-6202-000000009902}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.975{E56ECBBF-2347-6387-6202-000000009902}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.628{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE8BAEC527A1D834844EE43DCED1377,SHA256=335B6C4B44CF5CF0B480A5751DE04A1E212E6303ED036488807C159D3C73618D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.128{E56ECBBF-2346-6387-6102-000000009902}8522400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000392653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:56.725{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B53326871F415CB950EAA997ECBFF0,SHA256=DF672AD74F60DFF07109B41FD1963CCD59BFB4154E675C343EDBD3DD4E75E986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:56.090{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C611E6818198C6C00FC8D81776BFAB74,SHA256=2F5BDF0F8B54F89340F6250D71BBB98A605CA146D6C48BDBF2F8A64A6C3BF3E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:57.807{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66169B5116AC74CAEF655E61705B5B98,SHA256=F2BFC8BD72C94B4C906634FC521DFD823D178508809BA69D833A4866C47BCE99,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:55.567{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54050-false10.0.1.12-8000- 23542300x8000000000000000838987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:57.179{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21515BA7091FBAE998B918A80C3D4605,SHA256=18FFFBDF64DACBD9D7ABBF9782C40C16D6F497C6583D3153753D3CD2BDC9F5FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:58.891{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FF4BE63F57E8481601C44D53EBA6AF1,SHA256=BEA5C0FCF46A6F1FCCE460401CA84A356DF1BB1F4D3CA1E8B5C7BEFF04168F75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.898{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.384{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.378{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.367{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.364{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.340{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.336{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.333{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.328{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.317{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.310{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.305{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.303{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.267{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.256{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000839000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.255{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23CDF8C4A04804086358FCB53FF473A2,SHA256=227BA4A9C241632BF668D1D2D29463A77CE9B4CFD14883A5571576643DE02987,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.234{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.223{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.210{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.191{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.184{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 354300x8000000000000000392655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:55.920{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50454-false10.0.1.12-8000- 10341000x8000000000000000838994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.175{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.161{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.145{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.131{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000838990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.057{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:58.054{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 23542300x8000000000000000392657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:32:59.996{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA42CAB214BA86859ED8D856F3430E24,SHA256=FEE28ACD110337F122A4097BEA6B7A7533EC2F5762D089F159BDD4EA619C1B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:32:59.291{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CA367F2A77E76D1C037A78042EBEE1,SHA256=4894E1B8A2BFA60220C6BEDEBE20EDE442B1CCE75A6B7E25F7C6D332D782D233,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:00.930{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:00.929{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000839017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:00.359{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB0CEE7521EB8BD4071EC68AB5340B72,SHA256=A521E89166D5A5D285E82E2BB9D93E2022CCED7CD0136E22464BB7C35CBFE4D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.849{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.849{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.849{8A63456F-146E-6387-0B00-000000009802}6441192C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.835{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-3100-000000009802}2952C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.459{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.457{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.455{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.453{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.452{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.450{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000839021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.447{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23689F28C41B23CE614A0BA1E37BC065,SHA256=28C018EA243DA244808160EDB72B8EB4D3BFDD2CE11C0878266F306A3DBCC2FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.447{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000392658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:01.076{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9673C041D2416D776D1339242343407,SHA256=A046E7A960B1AC74426025B5223C220B4816E82BCA48C35FA770BC6656F0EA75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:02.525{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC6BFC96ABCE1F3358539C214241310,SHA256=3195C6ECBB7C0B46CEFFEB73D78A2CC8FFDA671CEF7265504FB76298896DB728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:02.169{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0ADED85DE6075B022D470B224D9F64,SHA256=02EE835FC91C2D4F8452EBE374602CA09A51D8DBA6705C2B5753E8390A34E9D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:01.517{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54051-false10.0.1.12-8000- 23542300x8000000000000000839033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:03.627{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=797BC5E4C606805EF4F4E85D6E9E84F4,SHA256=C1B2A409EEDF59540DA53499478CAF55F38811826B253A7F88EADEA36819F239,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.631{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.627{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.624{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.622{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.621{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.618{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.615{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.613{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.611{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.607{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.605{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.600{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.597{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.590{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.582{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.580{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.567{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.561{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.555{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.547{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.540{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.517{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.511{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.506{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.497{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.491{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.484{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.477{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.473{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 23542300x8000000000000000392660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:03.356{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA7AB70DD12179AC45E5F14213DE80B2,SHA256=0A64790685C119F5B4FE48BC389B04420FD09E1BFFC61360EB284C43061D0D62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.994{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.994{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.994{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.994{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.994{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.994{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-2350-6387-6102-000000009802}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.994{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2350-6387-6102-000000009802}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.995{8A63456F-2350-6387-6102-000000009802}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.725{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=615A155186DB74E6F8EF5A18E4107B71,SHA256=71D0E90633D097878440F45E08F0C2ECD59F8F43FFF7B0B200BF512A91485A08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:01.957{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50455-false10.0.1.12-8000- 23542300x8000000000000000392690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:04.729{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607705C461BD9C901858817DF8FB7767,SHA256=D1C9EA28C9DAED919D54962453E864223FC1E5C026433D3FC84E46C2177BF117,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:05.775{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8F46A710E521F91A51D3F3238A4F3AC,SHA256=BAFCACF94BB0CA1711AAA4B354CD23C729993B046D99A9F213E51AE46FD8567C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.701{8A63456F-2351-6387-6202-000000009802}47003872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.494{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2351-6387-6202-000000009802}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.494{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.494{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.494{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.494{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.494{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.494{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.494{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.494{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.494{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.494{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-2351-6387-6202-000000009802}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.494{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2351-6387-6202-000000009802}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.495{8A63456F-2351-6387-6202-000000009802}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000839048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.994{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2350-6387-6102-000000009802}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.994{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.994{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.994{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:04.994{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000392693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:06.856{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13BE9ED061715139438ADF563E0D0B1F,SHA256=54592E83E4065467C378A18A1D7DD7E83DA6CCFFE0D45AFA4A8686844EF36D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.905{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C064F436C85244D94680E6F770DE32F3,SHA256=130946943F53AE71BEB38B4419C770F78EA6E97F76DE5F42983892695FCB13B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2352-6387-6302-000000009802}1544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000839068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50B2537F83921FA7E1E680F6AF0A0B4C,SHA256=1C7EF62C7E623E76574FFCB66744175FC797D8479CAE83733AE27A39B480A65B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2352-6387-6302-000000009802}1544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000839066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=350444B61401F32E08F3BF2006EB2D00,SHA256=491F4278F15D8568DB342CE46E10B79B24FBBDD28FEE27B213B1C40A787E400A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2352-6387-6302-000000009802}1544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.119{8A63456F-2352-6387-6302-000000009802}1544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.116{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1E24C4883DD50F5C87DBACDF67DFCA02,SHA256=EC7EAE093FB2FD55A5A4A6D71F6120985C563B24D2F8F8337823D4A0DFE7B2E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:07.940{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EE627DBD5C670BFC5DD6C73C8DBA95,SHA256=A5D957B2499837DEB6AB73DA1FB145F4600FA9108BF4725E37458EDB07DCECC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:07.198{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=826A7EAD4C107BECD5B3FD73474726F2,SHA256=A8A986501C369C87D506EDE137FB09C64DBB66D81A9603E52356B5D9249ED142,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.557{8A63456F-2354-6387-6402-000000009802}2004592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.386{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2354-6387-6402-000000009802}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.386{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.386{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.386{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.386{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.386{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.386{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.386{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.386{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.386{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.386{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-2354-6387-6402-000000009802}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.386{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2354-6387-6402-000000009802}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.387{8A63456F-2354-6387-6402-000000009802}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:08.276{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5FCDC44A64217D264ADC2D4D1ECD38F,SHA256=D591FA060F547F11786B390AC93117548BBE62E826503349B28A4F114CE06B2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.796{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54052-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000839081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:05.796{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54052-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 10341000x8000000000000000839127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.790{8A63456F-2355-6387-6602-000000009802}3803964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000839126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.587{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85374CB8EE767AAD41AFB1B37D911D56,SHA256=71E0229006CD64274A66AB7F6B32DD02E2AF83C2466271BE8124E1E28C0BBB43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.578{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2355-6387-6602-000000009802}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.578{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.578{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.578{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.578{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.578{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.578{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.578{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.578{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.578{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.578{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2355-6387-6602-000000009802}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.578{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2355-6387-6602-000000009802}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.579{8A63456F-2355-6387-6602-000000009802}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000839112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.358{8A63456F-2355-6387-6502-000000009802}1404364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000392695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:09.006{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FC4E9CE53244036534F8E27DD208665,SHA256=5C72E5F126C8C1DFA20F300BBF309A3CE07E83CF35C4ECE2FF7EF4CCD2BFEED1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.077{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2355-6387-6502-000000009802}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.077{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.077{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.077{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.077{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.077{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.077{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.077{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.077{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.077{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.077{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-2355-6387-6502-000000009802}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.077{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2355-6387-6502-000000009802}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:09.078{8A63456F-2355-6387-6502-000000009802}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000839098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:06.523{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54053-false10.0.1.12-8000- 23542300x8000000000000000839128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:10.461{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=472BF58BFB0D4E5A1718BF0949AD37F5,SHA256=E2048C762D17F1B61EFDAD8F9727AE4AA72C713EA9E14462E127FFAB22E8B77E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:10.089{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C357D72CAA78CD7FD944C57DAED3F369,SHA256=3A243970D040BA66911589DC26124295F16318042F544379D3BE569C3D834A4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.930{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2357-6387-6702-000000009802}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.930{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2357-6387-6702-000000009802}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.930{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2357-6387-6702-000000009802}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.801{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2357-6387-6702-000000009802}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.801{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.801{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.801{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.801{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.801{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.801{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.801{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.801{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.801{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.801{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2357-6387-6702-000000009802}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.801{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2357-6387-6702-000000009802}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.802{8A63456F-2357-6387-6702-000000009802}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.546{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2625A2AC149F659A2D371F0C53FD4C2,SHA256=29715CCF9A615A2D01066C2003A14A72BE5DFAD589EC472ED2AAC5DB5A7FE6C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:07.903{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50456-false10.0.1.12-8000- 23542300x8000000000000000392697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:11.189{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FD374C0EA626BB66DD00AF316424F1,SHA256=C8E6DEDC60A4890159A8ABBE441854996C866F9AB7F9A5F23FBBFC0BB11D653A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:12.944{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09FEC089814034F78D249A25E16B9E3E,SHA256=735079F5261C7E04DA40DD6810176D6F89EBE3C3D748D2C6EA0731265FCBEC31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:12.623{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C73B62F7D1B0A85B6233B93932FCAD20,SHA256=C8DC40880CD50767DF20A3D032BD8B29E139A3FFCAFB18C621F4E75CE109ED60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:12.534{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\respondent-20221130082938-061MD5=1A32CBE424C0FD56A19B8799D3C64243,SHA256=EA6D997F19314B6150EFB9A20554F04E0A1C60C572E1FF9571FF112B025B3E6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:12.266{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B89BEFCB35AE5E391477217EF3C950E0,SHA256=032BF7280031542788BE2B551089438A30B786A85718242ECE5377A7BA507E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:13.715{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B0E535E49AC0206BA03575E124F01D3,SHA256=53642B1222F9CB0C6F7F05939B7782DA6A54590C33E082D36482C0EAFCF64631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:13.534{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\surveyor-20221130082936-062MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:13.350{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EB1BDDDF953828880CF6B8FF633152C,SHA256=AC5B2CD04A6633F0046E0EE0032B9B883F06252A81A6F9A56434059344E6DD73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:14.790{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=031A833A4E0A0FE7D26F62D722ED1559,SHA256=2A0683B4A8792CBD936D20F83375DFFA19D247187778DDFCD1EF100A4FB11375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:14.413{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC4D9006CC57B2ACED63199E7DA3E8E6,SHA256=AA8CD02F43B135B41F9556C3F4EBCF8060F547D623FE42FB229D20FFAC1E193D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:11.574{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54054-false10.0.1.12-8000- 23542300x8000000000000000839151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:15.853{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC62582439E14493CFE51566C9D23593,SHA256=425A697BE3DC7C91CD0F42BA63A271160F3C87B40A5497AF0B0C3050AFCEFD76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:15.489{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4BC28A35BBB87F285B350C4E207411,SHA256=5A7A79745EB0ED4853D2C605485045F2CB32EC9A83EA160B7503877446B8B08E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:16.944{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=890FA610511AF135A868C910A2FA3371,SHA256=DDE8783B77E8A88987E4593B9E867A121AC50585FF5AC430CAB8049FC160032B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:16.561{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D9939493C177840DAFE7595F6A6073,SHA256=8BCDA684534EA4EC81BF6D1D265E4313039C5A761A077FBEC512545DD41FA530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:17.647{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BB9AC54D9F139394D16E82D665466E,SHA256=10696D65AC8D43CC8732113DBC4F74E8421A52FB91CED097DAAB12E4B7B95CA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:13.835{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50457-false10.0.1.12-8000- 23542300x8000000000000000392708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:18.859{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4D013CD89533964DF9EE5EB48DC13B,SHA256=8B8F94B42430E2528F1AFB2C61B770E3D99C24094470B5B248C660584A8AA831,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.939{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.369{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.360{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.353{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.350{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.323{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.321{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.318{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.310{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.302{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.298{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.295{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.293{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.264{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.256{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.235{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.227{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.210{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.191{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.178{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.170{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.156{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.145{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.121{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.052{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 23542300x8000000000000000839154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.047{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=640C7E747C94C33176E2BD4A5A69B587,SHA256=5280D93B8C721F2FB05D6F72B3D5A0C07D92F98940FC603A2583549E8E8BD773,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:18.046{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 23542300x8000000000000000392709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:19.938{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD4EF6A17EBA0BAC3FE7BC5AACBF2783,SHA256=B2F765B1A2CEC65983C8912F25E4CD33FAB47B15A5A743266192A07E821897DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:17.499{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54055-false10.0.1.12-8000- 23542300x8000000000000000839180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:19.071{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3B174AAB4B750BC9E2F9FF2F98BFD15,SHA256=B24ACAF9092822914179E6479A3B44E5F95AC536695D749436CFB01FD024FB8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:20.982{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:20.980{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 23542300x8000000000000000839182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:20.153{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A333EE16CCFFE14A2E59C2F231018B3,SHA256=7EDA91C29CF0C8C28BAB35AD5D986010868F8588D6F00EC568C11A0FFA266BAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:21.556{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F543A50274C2A4138A1D7EC188CE1D69,SHA256=9DFCFD93A01E4316CAF825E0A4EAB7CFDE9C6C29E97ABADE7D2ACD0B698ECC90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:21.499{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:21.496{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:21.493{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:21.491{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:21.490{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:21.487{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 10341000x8000000000000000839186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:21.486{8A63456F-147F-6387-3100-000000009802}29523540C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480CD0) 23542300x8000000000000000839185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:21.235{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=235C347ADF849F369B3E1E519B5FDA79,SHA256=D6A89F2A8351AAD6B44C510F7560E1DF83941EA11E282B2C5CE9530D2C31927E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:18.940{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50458-false10.0.1.12-8000- 23542300x8000000000000000392710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:21.012{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85D1D37AF268EB7C05C292CC62BFEC1,SHA256=D791FAAD1591E4DEF5A511A6D920B9C23CE185048B414009E47C3E0227B88B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:22.311{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D605B7798BFA0EB38F61FA7B6F175A1C,SHA256=21BBBB793088D4F456DB97F77BD9CDEADCCA29739104E442E049EFCF69E6187E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:22.207{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C8DF058999C46A89B6281431404E7A3F,SHA256=9DDCDE70F99536E93791A290990D7D5B2D0A5C73B99119FB5C64111009192EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:22.082{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D3A0D47303AA4F851369E70EB6021D0,SHA256=8B5A08A4EB9D6E13E6234CB708B364254A678A085638A83BBB07B928F057ED14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:23.413{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E073AA94B75F494278FC4C7E7EC227F4,SHA256=807FB7D7D59D58A2394F8DF1DD3FF22EBA1CD6239E4891D628B4ECB1D3ACE33D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.644{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.642{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.637{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.635{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.634{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.631{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.630{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.629{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.627{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.624{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.623{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.616{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.613{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.605{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.597{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.594{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.582{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.576{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.567{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.560{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.553{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.526{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.518{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.513{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.497{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.487{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.480{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.472{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000392715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.469{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 23542300x8000000000000000392714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:23.163{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758FB2B3C929CB31D11A82F07349083E,SHA256=B9118580603E3615D4175AD8C527427D426EB6B5099D90F02FB4950BA10DA042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:24.483{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67CEF11516652E1297C96E09E43D4279,SHA256=A2959C761879A37ED399FA76DCEB38027D2D2E86563BF606E926DB766D96F20D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:24.369{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66A41170406E66AE8DBFEBBFBD870CE,SHA256=C5975031DE313D99EF39B8FB770C614B05744CD09B612993F7B7E5B7D5DAF49C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:25.569{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5955B2CB6E8F9276A9E48202C41A984E,SHA256=0BD6FC79A15FDEFB4D6C87546D9D81BEC2C994FC986CDC0744E02D76D3BBDCB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:23.523{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54056-false10.0.1.12-8000- 23542300x8000000000000000392745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:25.424{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA2EDF44FD13850C2BB3C34EE2695B3,SHA256=044A8FA8DBAD400D30B21EE245D548553917CC831140965E5491EB12AACA319A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:26.905{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\respondent-20221130082953-061MD5=683651717EC8DAC081C38E211BC7EBA2,SHA256=5740F9BFEDA541BBB683F557CBD7668BC17497F3A3A4C7CEA871290E93407AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:26.657{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24797376125D1D1EC0B4FFC89F462B89,SHA256=7093F265630ED0B43B2CE4A859EE6BABCF1A1D165B8494EED983C87097AEF72D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:26.499{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4501D05C1EAFC5DB04700ABC8104C9,SHA256=CAE9E5B2208DCBA0A21294847EC4315C6A7D4F0AD377C220DF2AAB9FA3C0DDA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:27.913{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\surveyor-20221130082951-062MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:27.724{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA0DD37611055CA1E5BA455DCA7C51F,SHA256=257AA370E2301955E6F23AB0256D7E99DAA0FF8F63D7F88028ADD9C12A7102EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:27.584{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189D71BE588323CF5A0901293726A713,SHA256=93CE2D30742A14D33120F2836FAF66D6D39AF8108DB8DF63E884F04992AE0497,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:24.844{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50459-false10.0.1.12-8000- 23542300x8000000000000000839203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:28.805{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC97B9A171F4DD70DBA552FE984A53A,SHA256=BDD3304C132FA444CC95176CA3BCAA71FCAE29C3F27F343B65D9E265B9C95EC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:28.669{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD2B2D9341E8F3086F711B00A8B487F,SHA256=ECBF15231876A92EC26308BB4E58004685EDFB1B39D7C7D58B87473EF1424933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:29.879{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E569CB9C5556C62672587EEE9C7AFE91,SHA256=444D47D811636145DFF467ECBD662A366BCA31BD3A813382A0156ABE83AC00E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:29.763{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508531713DE9CB84BC9B7099999727D8,SHA256=82C9A95C33B34B4F856117B9F13A5DBEDA60BE66AE4565F77E55E1975BCF0F4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:30.955{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C02692BE9083DEDCA0B46147E4D19BA,SHA256=41465888C585B270926E909EDA70E932BB6EDE2F33CC8E09E2F579CD73678124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:30.848{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F89DD5FD5BADF177079490AB17618F7,SHA256=8BE4810401B1847EDF67E38647A4D43775D3A2B43C5DE0AAB58268F903015B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:31.923{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144E30A4821233CB24A5A6076D338ADB,SHA256=7D2AC64353C71698555A4BE233C9A9DD21FA9D3B389C5EA07FA5E6E8BB189EDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:29.491{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54057-false10.0.1.12-8000- 23542300x8000000000000000839207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:32.047{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA4DF5E47CB28AF71B44C683CCD5ECFB,SHA256=3C80FE174ECA504B0118B95F2215CED79BE366AE96839BCEA46FD3686710B4E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:33.149{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61BBC6C4CCD70F99D38BEFCDC6B75572,SHA256=9CFED2011C9D4EB6BDEDD306B2C6DC77298581B59441A200840692AB0583F800,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:29.993{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50460-false10.0.1.12-8000- 23542300x8000000000000000392753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:33.036{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB6F92B2297308040B6C118F87E4B81,SHA256=2BADECFF04C1B2258AD1B0BE5AF49F80ADBCE111D30D44871A29027436BC9CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:34.238{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCD5DFE6FE401F6962AB14E6E690A5FC,SHA256=58A341C1DE4A07AD9E4589BBBCEB5927B4E96E239C4C202285F3476C2280B22C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:34.123{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58500149C769AEA13F843326C5E60A09,SHA256=0F66089F74B8B6A1AF5FC88FE98659542ED991445C270872E6198ED7AEF9E3F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:35.323{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72E0F487F007C9CF6491F10BA6D0695E,SHA256=1DA7CD13235735F25A89312BF4121CF5E46B7C731B34783814D744A19649CD0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:35.221{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B62B4FD9C3C8AABEA9856B7BEBE643B1,SHA256=F79B2B03DD2BF25D35150C03A6A69352858E76AD2C5A3ACA84075552FA8E848B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:34.603{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54058-false10.0.1.12-8000- 23542300x8000000000000000839211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:36.387{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=495EE5946C04AD5F6AEB03435DE4DD0C,SHA256=A8F73DD37D2174EA21DE8FE435FCAC4DC64C8BB42FBAA5DDD66F5644A41B869A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:36.298{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653CBFA845FEFA82C51F8D91905CADA6,SHA256=0C9A2D04229BCE2525A88760098C760F14BAD2D82E044B056B11500606A8C9AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:37.379{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC07712A76F705E660E82417952A3C6D,SHA256=C8516994B9D44F190BBB7FA2B12E2C24B406489F09C4AEEB84070709EBB25D94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:37.485{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F14AEAD722A261A75F643049F305A7,SHA256=2CA3351782E1C113B831C26B3A20D12A9E0FD387BC00C2E5EBF68AE8750FDA6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:37.282{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E51645EFE78AD6DA4EE484106FBD86F7,SHA256=B769806E5C003EC8850DC4D9480FD2DEE5DC92FE3D4DB174C7310BAD646B3009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:37.145{E56ECBBF-146F-6387-1300-000000009902}304NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=95CD2948953C9CF516DF47D2B5EBA54E,SHA256=4493B7BFB98BBC3B8E3119C0FDA22DBB5CB8AF8CC9527CF4D306DD1B96BDF897,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:38.469{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4B84766A499BFE2130840EF4FA1A517,SHA256=11C8AB0D2B98834A82F01792158257ACD69DB7F55414884A1420F33857639CCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.852{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.546{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA19708F9D8ACCE6934D0C00988AC644,SHA256=1757CB613CB201E23BF7B53CFC9887B68545D542C4C1C1C0D1F8B20345B3978C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.311{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.307{8A63456F-1471-6387-1000-000000009802}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=33FF87FCA9EDA12B6F1C3C4408486B96,SHA256=91BBC736279E16236FF8EB79368550A12D59366663CF918129FBA4FA91398FB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.306{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.299{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.297{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.281{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.279{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.277{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.270{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.263{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.260{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.257{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.254{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.222{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.209{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.193{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.188{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.181{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.174{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.168{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.160{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.153{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.143{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.133{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.072{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:38.069{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 354300x8000000000000000392762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:35.949{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50461-false10.0.1.12-8000- 23542300x8000000000000000392761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:39.554{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1C4F1942C39066D49B1E2B5A4F8B846,SHA256=310D5700FB9577967975A82915BEB090A2966881A9AB26C2181C15506BD85829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:39.608{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=363CB72A52201CF6C63BD649097E37F4,SHA256=F30408BC39CD4295F75F08BED2B05A54F73C8EB1FE704A18CE3A0FBA5C5F0FB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:40.640{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4565EF08906D3E794DBA746AA175F9,SHA256=E8D60FA200235E1025E9E3164C40F273537D0ACA22B388125DC859080BA4B60F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:40.873{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:40.872{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:40.680{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=829B218D8F31F43650B2B0BE04E59F3A,SHA256=0964874679FC9A2E645FAB3ECA4DCD9456C1E18730E68065335FA372A3649093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:41.721{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD0A2BD6EE2E8CD7D1455EAE1FC43485,SHA256=22F0D34C567394784C401810326E1B6C37586D7E821AA7D971CB97D85A61D657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:41.766{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19838C5DA3919A8AF0B05123115BEE42,SHA256=DC195C3B07359DA177ABE5A4D1097BAD8A210924222BA3024FBB62C3E1230A24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:41.403{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:41.400{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:41.397{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:41.395{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:41.394{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:41.392{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:41.391{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000392765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:42.803{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6D25A2A119EE94AEC65BD4EFEAC862A,SHA256=93C4A022315B5D4EEB11CB57A6FC9677791F3E20CB573CD87C2D7BE182D33F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:42.851{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DBE94E141A50186A8A197B0FBE9CC2C,SHA256=754E3D34ADD9E9DE90DE45154910B61917210DBF0A47FF13B167D9C2009E0B5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:40.592{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54059-false10.0.1.12-8000- 23542300x8000000000000000839257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:43.928{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B80DCB9B84FEFE6BEB341460536992D,SHA256=14D3DED36422BB3B5251191B7DC73390820810BE39D98159184DC5BBD7E3D792,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.658{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.656{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.654{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.652{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.651{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.648{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.647{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.646{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.644{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.640{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.638{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.633{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.630{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.624{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.618{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.616{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.603{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.595{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.587{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.576{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.567{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.544{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.537{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.531{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.523{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.516{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.508{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.498{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:43.493{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 354300x8000000000000000392796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:40.997{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50462-false10.0.1.12-8000- 23542300x8000000000000000392795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:44.049{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ECAC1D2D853F07407B3C55842746BBE,SHA256=0131F49D68138146FCA6512B27CC83215ABF2291FB6BEB3A4E28FA5ED8465EDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:45.011{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F17445D18CC8F936362D87958ABB9F2F,SHA256=E74D3222B3822B6A4C03C622D720D838BB6FCC03E89D525EBEF3300B56A4919B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:45.158{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B9E91D5C5569323A8A81A47C94F3BC,SHA256=DE6F29C4F855B90B5C9BBD4BB7CAE9C7CC7E587996D7A31E6D5CF51F5EFFCF05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:46.221{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:46.221{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:46.221{E56ECBBF-146E-6387-0B00-000000009902}6441464C:\Windows\system32\lsass.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000392799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:46.220{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3FE28A487737B636982E79129B4B30F,SHA256=636E0B762832C5E9A8E37E44684B9FB4E6CC5B16B5373ED51560816E50D9EAFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:46.206{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1E00-000000009902}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000839259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:46.107{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6CF4FC1720341AA1AAB95E23BA09D78,SHA256=EB00B57CD7E6CA040EA1D72B7C74D6B5F3EA6A9944DB8D292DAF970133BB8B38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:47.290{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B4B30AEF8CFA7934F059FF13852FF5,SHA256=B224631D97605A2368763C8A0DEFA2BA6B95CB19B94FE5E0221B8B6516A8FF20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:47.183{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A636543E7D2DBBB8BD73034A10C314,SHA256=A5BCEC9D450C471F8C73B47C27FA6445500FCD408B069781B35F691BF578B767,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000839260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:33:47.090{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d9049e-0xd8b019cb) 23542300x8000000000000000392804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:48.376{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E36E382A10D8964097DA006B6E467E,SHA256=05DFD3F61B4D7A5DE47B65BB66D2DF658CB851C512A702DCDDF07826B8FA68D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:46.551{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54060-false10.0.1.12-8000- 23542300x8000000000000000839262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:48.268{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35C075D5F546468CAACAB27D257865B8,SHA256=6AE99F92543DF9528C34E87449D90C4DB272BCA337B4E27E4D84EDF1E225C425,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.941{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-237D-6387-6302-000000009902}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.941{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.941{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.941{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.941{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.941{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.941{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.941{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.941{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.941{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.941{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-237D-6387-6302-000000009902}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.941{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-237D-6387-6302-000000009902}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.942{E56ECBBF-237D-6387-6302-000000009902}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.629{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:49.457{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=951B73A491AA60DB76EA3168CD357A45,SHA256=6971911D1EDA9B7AD145AE8874A25A65215F2A52FAA3E1D67DBE69006A5C6A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:49.342{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A304EDF45056B0040987F1BE63A85DF,SHA256=DAD35E9874C10321ACDA029139B907975CB19353760E22011C2176087F2AD364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:50.425{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C335D6231A465B90FE2D6F1D0EF37F,SHA256=0EBBBB7CD26ADD7D030E8314815EF6A46EFF88755D5A42A18D23722032F2D6C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.604{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-237E-6387-6402-000000009902}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.604{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.604{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.604{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.604{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.604{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.604{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.604{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.604{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.604{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.604{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-237E-6387-6402-000000009902}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.604{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-237E-6387-6402-000000009902}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.605{E56ECBBF-237E-6387-6402-000000009902}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.542{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D8A2614BB0EB48C885CF9CBD3B28535,SHA256=5FFE68121E0F8B4800FDBF0E02FBE6F304E1A0D8BCA9AB3963DAA2CDC783BE27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.385{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=19272B50F4785C52735A1A3632C677DD,SHA256=2693E9A0F08C64C18CE9EBD5C7FDDBEBC331707E6E259BF5AFAF711C491EE590,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:50.123{E56ECBBF-237D-6387-6302-000000009902}7843136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000392820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:46.962{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50463-false10.0.1.12-8000- 23542300x8000000000000000839266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:51.505{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F7497C003D438DD0FF150F09C6C8883,SHA256=3A8D14B027920769F7E570FFD8620C17C25ECF07737273C95827A297778F701A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.752{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E837C25FC8C1F4AB78706E804E6EC9C4,SHA256=3FDA72A4BB2FA68C8DA0999F9B3159914B9A4792A8D2AE882C430717FE4A42C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.423{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=512DF70D57A20EECCB7AEC30998AFD46,SHA256=6CCD4F79A6AA78F752BAB89AF16CAE01F907EC191A080739FEA8B31B18C43683,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.392{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-237F-6387-6502-000000009902}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.392{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.392{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.392{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.392{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.392{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.392{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.392{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.392{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.392{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.392{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-237F-6387-6502-000000009902}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.392{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-237F-6387-6502-000000009902}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.393{E56ECBBF-237F-6387-6502-000000009902}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000392838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:48.370{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50464-false10.0.1.12-8089- 23542300x8000000000000000392837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:51.035{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=290994DE80DF6B6546BCCD80C49430FE,SHA256=FC6BEF8AFCDC9A0A7D45CEDADF3D302167698E0D58F1B13288561BF60CF0E081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:52.817{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7BDADAF5AC387EF18D8AADCAE43B1D,SHA256=2AB0E88F3019F0895FDCC847ACAB9AC8ECEF3BC3645DD9F280FA06D58BFDE1B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:52.859{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:52.585{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7662B885E86452440E22BA16E679AB8A,SHA256=14054AD2D28DF097DD106DB296FB09832EE54B38A1D4BFDDB65FCF4E9815723D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.917{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CCCD28F49B1379B1F91B9EC66B079CC,SHA256=D1710E18650D617D1A72D453011450EEA0D5C7A596801A9BF52E6B7A03BED901,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.885{E56ECBBF-2381-6387-6602-000000009902}14483404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000839269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:53.669{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B58542E0876A52EE4E3742C980CE5CF,SHA256=9B21DB9EFCC1F9134D5CD21B3FB5B13FCF2456A3CB3541B0A5D8509FEAE9064A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.729{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2381-6387-6602-000000009902}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.729{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.729{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.729{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.729{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.729{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.729{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.729{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.729{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.729{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.729{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-2381-6387-6602-000000009902}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.729{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2381-6387-6602-000000009902}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:53.730{E56ECBBF-2381-6387-6602-000000009902}1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E24F5C81AE301AE67881541B08AFD641,SHA256=BA8D4D0F2220BD53ECEEC79D5E25E908683EFA33FA09ABF958E8EE5E46E245FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2382-6387-6802-000000009902}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-2382-6387-6802-000000009902}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.909{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2382-6387-6802-000000009902}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.910{E56ECBBF-2382-6387-6802-000000009902}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000839272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:52.539{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54062-false10.0.1.12-8000- 23542300x8000000000000000839271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:54.746{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA7353C0B4457806D4A4DB23F0EEF487,SHA256=81EF97F399E7A73D5BDDA131159EE17A74C9F33630E395563C09BFB78D44739C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.627{E56ECBBF-2382-6387-6702-000000009902}2520948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.409{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2382-6387-6702-000000009902}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.409{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.409{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.409{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.409{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.409{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.409{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.409{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.409{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.409{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.409{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-2382-6387-6702-000000009902}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.409{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2382-6387-6702-000000009902}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:54.410{E56ECBBF-2382-6387-6702-000000009902}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000839270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:52.290{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54061-false10.0.1.12-8089- 10341000x8000000000000000392912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-2383-6387-6902-000000009902}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-2383-6387-6902-000000009902}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-2383-6387-6902-000000009902}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.996{E56ECBBF-2383-6387-6902-000000009902}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.979{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A75E57F1BF2BFB62DE031E55441ACFE6,SHA256=81426BCE9EFF616AB8FF07CC7E22FF740BD9F866C9A1EA55326789AF0C855B28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:55.827{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC423D6D9C87C96FF273CC932EC832AF,SHA256=6040940A1F645E8A090642E00E8B536BB29280B6FBB38749C4A77441FDBACC24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:55.106{E56ECBBF-2382-6387-6802-000000009902}7204044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000839274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:56.907{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D7315409D8C277DCD313A9D0482266,SHA256=3E81AF2CA2F285A7C417DA83129709814152A5FA6B3349C1A68CEC18B46BF073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:57.997{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B074466C4129DE04A94C9AD3BA21CC,SHA256=FEF0E7C7608DA922C1C2FF319FEC7B2614E664C8C1A1655A78E8D53E9AEDD193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:57.090{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=502296772CCE7B39DCE77187FDDF89EC,SHA256=74C34B0D924C25B90A2A5487B87B332831D690C1E48301CA34750E257C501DDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:52.917{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50465-false10.0.1.12-8000- 23542300x8000000000000000392913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:57.058{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED39A4F26187C309C8588B9DC498335,SHA256=E808627ADC0CD9DCB06122AF939435321A30C33DD566C4480FD6DDCFA5EF427A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:58.160{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E398C228CB16912BD6694887D06525CA,SHA256=8680999FA1198E6870029C00AAFD2BF083ACD4869AE0285397B68EE220E67972,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.887{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.468{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.463{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.456{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.453{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.436{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.434{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.432{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.427{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.417{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.403{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.399{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.396{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.370{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.364{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.338{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.322{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.317{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.308{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.290{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.282{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.270{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.262{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.248{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.111{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:58.098{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 23542300x8000000000000000392917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:59.235{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEC7DDEC2234ACC6AA41354BE9502562,SHA256=6ED6A2DC0543C439E6565916B9D4DB3E7235792DCF9F19ECD78977B9F82E9E3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:56.685{8A63456F-146C-6387-0100-000000009802}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local138netbios-dgm 354300x8000000000000000839303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:56.685{8A63456F-146C-6387-0100-000000009802}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000839302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:59.127{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86F0453A12F020834F8D76ABD7C683D,SHA256=AC5670DFB18E176C50EA0C3EC3C1226C647E1B43D395C2497CD93570995B8840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:00.320{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7061E1EDEC480464C685F0F69122D41B,SHA256=5F3AF58F29907BC297C955DDAF73A22499ED5FC9B053B9C2421DEC80A141D357,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:00.927{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:00.926{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 354300x8000000000000000839306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:33:57.646{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54063-false10.0.1.12-8000- 23542300x8000000000000000839305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:00.211{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2964DD68EC66D43D93E2B44F447DB73E,SHA256=CEEDA1AC3F24C1E4703FA33085FC3752C9D53C4100932829B4A272E4F9B18983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:01.395{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB208A7F83EA7224F693050B65B08515,SHA256=DAB15B6A939B8D4C73277C7B40CFC4ECB1D5872144CC66665709BDB60F249CB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:01.863{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:01.863{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:01.863{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:01.847{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-3100-000000009802}2952C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:01.453{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:01.450{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:01.447{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:01.443{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:01.442{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:01.439{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:01.439{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 23542300x8000000000000000839309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:01.281{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B066559E15BB912569AFB96A1219CBA5,SHA256=B9D15645243842EC0561E99225A84D19203AEDF95C2AEB3C64A45937F4124DE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:02.476{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC4239DADF0315177DD44D3350498DF,SHA256=2CFD4B96704472E90FF239F325CEB19B7364A4418BFEB9B1D9126D9B77B2190E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:02.379{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079EE2FF9F9FE0E0D849512455C6FF38,SHA256=3DA8BBF963D4C087DC4EA8BBED3F84374B307BA813000382C8987B1B7F6D783F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:33:58.904{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50466-false10.0.1.12-8000- 23542300x8000000000000000839322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:03.467{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1C768A1D747E3495F10B9994F40E6F0,SHA256=DC61E9D321531F278ACCD45E4C01682C123D4529C3E62F212D3D7B8B82A48450,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.647{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.644{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.642{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.640{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.639{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.636{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.633{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.630{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.627{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.623{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.622{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.614{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.611{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.604{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.595{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.593{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.579{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.573{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.563{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.555{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000392931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.552{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD94C62723663A9E35AE22917A635217,SHA256=81C30272F9639E3D242C55CAFDC2B6344881135A4559BA4C0F4D847B3591FE99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.545{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.516{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.511{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.505{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.497{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.490{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.483{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.476{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000392922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:03.472{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000392952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:04.632{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7358B82C5D3651778260F32316E3FEF5,SHA256=1669276248420BA3DEC6DE32FFB9CB73531DEBE60E15F4E168E6349C78F878E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:04.556{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4998DF2F62A3BE638DC77D8F78A6C03,SHA256=E96433BF8DD0E274CF15C1939A13C777D05A0546C7A93AA12683BB776384458D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.775{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-238D-6387-6902-000000009802}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.775{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-238D-6387-6902-000000009802}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.775{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-238D-6387-6902-000000009802}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 23542300x8000000000000000839352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.753{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5C192571794A29003C4B25447FCB0E36,SHA256=5A6D42153776B383809DC147B9BAA46D159996E61DECCD73C287D1D1FA41110F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.672{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-238D-6387-6902-000000009802}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.672{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.672{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.672{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.672{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.672{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.672{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.672{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.672{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.672{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.672{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-238D-6387-6902-000000009802}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.672{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-238D-6387-6902-000000009802}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.673{8A63456F-238D-6387-6902-000000009802}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.656{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5E8AD0A7AE707EB2F1A54AC64533D40,SHA256=23475488D251BAC49C2D075CB3102F37083592277A0A8A2829047AD53E28799B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:05.721{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3B8405EA1BBA7F90E354E70C9B5F93,SHA256=CE5B3506557E7D6BA3CEBEBBEFE430E67FE734B08903F014CBA72BB9230CE068,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:03.580{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54064-false10.0.1.12-8000- 10341000x8000000000000000839336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-238D-6387-6802-000000009802}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-238D-6387-6802-000000009802}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-238D-6387-6802-000000009802}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.001{8A63456F-238D-6387-6802-000000009802}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:06.784{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57D23E732A90EBC71ABF64A5A7156E0,SHA256=688FE15BA8B19307E94C7797CCFF2E7E0AE46D71E9D687D0B9AA246F9247554D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.651{8A63456F-238E-6387-6A02-000000009802}30884584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.344{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-238E-6387-6A02-000000009802}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.344{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.344{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.344{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.344{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.344{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.344{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.344{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.344{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.344{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.344{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-238E-6387-6A02-000000009802}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.344{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-238E-6387-6A02-000000009802}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.345{8A63456F-238E-6387-6A02-000000009802}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:06.063{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79C11459BCEC58AC1A68B724E16CF7B5,SHA256=1114C2E47978E1AF1CB584378D56CD6FC17B70BCF2E76F626EC262AC26277851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:07.871{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08109614F744349E260A25DF6B11AB89,SHA256=60771FCEA74AAABF7F66E28E74C9D232AD887C5A9FCE932D114A5B9CB2D42466,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.806{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54065-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000839373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:05.806{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54065-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 23542300x8000000000000000839372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:07.467{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=415E08A8DAE642D3A71D0D5206B947FC,SHA256=B5E80C90ED267AEED103374E747DE22D2FB7440B64F94270ADBE6B1834CE7DE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:07.233{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB6883C37EC10D5C3A8EB34928EEA66B,SHA256=44F541AF69FE8C9E385B2E558900AAF25CE797E3D02F2D053031805D5E5B90C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:04.853{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50467-false10.0.1.12-8000- 23542300x8000000000000000392957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:08.953{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=742390048EA8034E11F9821B9EC73E61,SHA256=3E7D4A849171EDEA9593E24234CEF70224F184C3BF298BDE18FEB60927ABA352,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.556{8A63456F-2390-6387-6B02-000000009802}43644340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.384{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2390-6387-6B02-000000009802}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.384{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.384{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.384{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.384{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.384{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.384{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.384{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.384{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.384{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2390-6387-6B02-000000009802}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.384{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.384{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2390-6387-6B02-000000009802}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.385{8A63456F-2390-6387-6B02-000000009802}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:08.353{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B8D4188B0FF1E625DCF574A3C7F699,SHA256=2F151F10DB4899BD4DC8952C3366C8356C022CA7BFD333DD26A69BF1EC05C25B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.821{8A63456F-2391-6387-6D02-000000009802}46724728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.818{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2391-6387-6D02-000000009802}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.818{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2391-6387-6D02-000000009802}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.818{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-2391-6387-6D02-000000009802}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 23542300x8000000000000000839417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.804{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93231C901E491E0759C313F8D905052A,SHA256=7AA4871B21FBB2DA8519339F4249455A0F78655B9D956C8EF91A4F41FB96685E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.638{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2391-6387-6D02-000000009802}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.638{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.638{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.638{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.638{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.638{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.638{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.638{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.638{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.638{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2391-6387-6D02-000000009802}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.638{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.638{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2391-6387-6D02-000000009802}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.639{8A63456F-2391-6387-6D02-000000009802}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000839403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.285{8A63456F-2391-6387-6C02-000000009802}26644428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.066{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2391-6387-6C02-000000009802}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.066{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-2391-6387-6C02-000000009802}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.066{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2391-6387-6C02-000000009802}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.068{8A63456F-2391-6387-6C02-000000009802}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:10.715{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=214F4C36AC7148C0657D581D7870D881,SHA256=30657BBBF5DEAA845CFD4FD640F8B5B4331944F7B30EEA0C7CDDDE741290BC20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:10.036{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=071477793A51A8A63BF86AA6DF2341C6,SHA256=8453DC4870BFEF422F41D2D95FD0C60C5B0AD6C36798D8180BFB392534D39FBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.821{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-2393-6387-6E02-000000009802}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.816{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.816{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.815{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.815{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.815{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.815{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.815{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.815{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-2393-6387-6E02-000000009802}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.815{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.815{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.815{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-2393-6387-6E02-000000009802}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.815{8A63456F-2393-6387-6E02-000000009802}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:11.798{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E97BBE874485503D3CA070E0A98690,SHA256=DFCB03D22605D60997F57E721481CE2860BA27BC8120DD3EBA936F58D9137829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:11.123{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F7EAE99CD864F4D99B8A32F4AE189EF,SHA256=529495090D058B9F3A39FDA809AB7E9014D6C48E11598794DDC2549804615E09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:09.493{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54066-false10.0.1.12-8000- 23542300x8000000000000000839439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:12.934{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71794079C65A5E97AA273882FB15732D,SHA256=5270C13A48D17B62C658EE9822AFC68735F050F2BB1205994AB2DBBB2D2F6FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:12.879{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B1EE3FD118DBCC9A5141AC92AF999C1,SHA256=1872F191D86CDD4DEF6D5B1DDE88FEFB681D76C2479C36071D67057717E0E895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:12.208{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90EE43DE51F5092D0CC5AE8DC9EFF311,SHA256=75539EC4856131F113487FA9A2A3A37C37AA26232D98D07C0A479BC7A98ECAED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:13.976{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0519644B02FA5800F968FB382CF261A9,SHA256=D0698648CFB3F0BB43008BC88839907ACFB4793DD7B8ED3265A13DA1D0F3A9CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:10.855{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50468-false10.0.1.12-8000- 23542300x8000000000000000392961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:13.409{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC6635419EC81BB2263D1A6D31D8374F,SHA256=F01DE184269BF2AE69EF46FC29B9FF88253BC4A4391754F21039CC0D24A38DB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:14.481{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B0CFB6384CAA97D1D2297C66E8D8D2A,SHA256=D0ECB8B5C825A8D7934982A215A96459AD23DD69AB88657387E40D019D79B72E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:14.051{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\respondent-20221130082938-062MD5=1A32CBE424C0FD56A19B8799D3C64243,SHA256=EA6D997F19314B6150EFB9A20554F04E0A1C60C572E1FF9571FF112B025B3E6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:15.561{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA4759F704034244F34084FA48BA068,SHA256=D0D12312839AF05E03EABBE1A2D099B7C56D1E2B8B1544390C47E65BAF8C335E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:15.048{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6906049E3B9F7A0268B70724AFBD2D3B,SHA256=7F70C4189DAB46EAC8136B62D8FBBD717F742AC5C1C9617AC193882E075E75E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:15.056{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\surveyor-20221130082936-063MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:16.626{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CEEA1215FF79EF8455F6F2A65E443A3,SHA256=EE38E0DF8F0B5E8D0433BCAC78E1C949433D382E669D4CC6DAB2AC93CEBF4A5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:14.541{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54067-false10.0.1.12-8000- 23542300x8000000000000000839442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:16.131{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6967AA8B9295669F0F6D34A97F0F56F,SHA256=EDDE913193910672B49E589F8E5BB6F913947CC84330F1AC49693233332A96C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:17.814{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBAADCC668BBF4F592C32CB19D8DB6A4,SHA256=F233D253B55DF924927EEB7C6CC60C7B6924A865D22FA822C1D5160D00C30812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:17.209{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CECC10AC0138343D5C25FF2389E2FD7D,SHA256=9C0D80AA6B145087C06E8BD74EE8892CDC430A92A46F2754BFEA4D1E9511FB30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:18.911{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34ED06286F4A3C0D8C37CFBED105B680,SHA256=0A08CF66EED70C126718FEA3B2046A4D3914B8DE2E32343593CA9119C8DE87FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.684{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.316{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.312{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.301{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.297{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 23542300x8000000000000000839466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.278{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE24762BB22E1591F226B289C1D9E899,SHA256=1882CB5BC6D223CA3E3B58AFDC9CDA5B2FA73A85571B75BD23A0DF673E70AB01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.270{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.265{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.262{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.256{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.243{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.238{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.235{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.233{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.205{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.197{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.185{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.179{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.173{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.163{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.153{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.145{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.136{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.127{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.121{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.071{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:18.055{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 23542300x8000000000000000392971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:19.984{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05CE4F515FBADBB5C3BF7496BD23EE95,SHA256=4FD6EF91E037A3DE5F8BC781284E468834CC1FEA98DCCACC66A2B7E3A6CAFE04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:19.312{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA29E4CFF146727578A08B273D5437B,SHA256=7EF8DDD6EAFC04D01EF9CC206E48F39EBA140232F5A2CD6595F90FFB2682C6A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:16.813{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50469-false10.0.1.12-8000- 10341000x8000000000000000839475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:20.707{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:20.705{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 23542300x8000000000000000839473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:20.396{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD68D6B4B242CB695B655ECF9A32DC6C,SHA256=F948752A41536ABC48756C28BF0BAF0F73CB336C0D35DA79EF0A32EF934A5ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:21.459{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5EC881760B5A16FB3AAFB49FD09D671,SHA256=D88245C29251B536DA6B974C0139BD81235109A9BEF4DAED3995B4AB8E812E16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:21.647{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C93E02256B5E9AF57D5C117E5338BDD2,SHA256=DCEE5F052D955DAFDD427AF5F3D05245105F46884D7C35276BF0C50A3A5412D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:21.074{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAEC1E99DF92CF1AD09197161A2FE580,SHA256=79D82B886D14C1C4BF95769D6495F0713CCEF5F17A47A6C7C6F2EC05E1E53E4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:21.226{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:21.223{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:21.220{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:21.217{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:21.216{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:21.214{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 10341000x8000000000000000839476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:21.213{8A63456F-147F-6387-3100-000000009802}29523552C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00610) 23542300x8000000000000000839484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:22.544{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B02544F9A3BE3402E758526F649DA54,SHA256=0B1961DE2C047DA45086EDD76E3388A89546026A9BAB8B909DFCA782E9B8C071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:22.141{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874A941AAE25EAFF6F07E2F7F59CACC4,SHA256=4C3D06153C5F76372F91F825885AC02F51ECDF164841EAD8D1B3842210E318D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:23.618{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73ECC8AB16533A19EC387D58DA71CB4A,SHA256=A9A92A3B033A2EB37277BF94C0E293921E69E057D4B6C8080E59244F8A037B88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.727{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.723{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.716{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.713{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000393000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.712{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.710{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.709{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.707{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.706{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.701{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.699{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.692{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.689{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.678{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.668{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.664{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.642{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.627{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.616{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.606{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.591{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.557{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.545{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.537{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.526{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.516{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.493{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.477{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 10341000x8000000000000000392976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.474{E56ECBBF-146F-6387-1E00-000000009902}20202820C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880850) 23542300x8000000000000000392975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:23.214{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=484EF21D329A36CC117452E30CB8B066,SHA256=1B6421672D5A52BC08C0D07786AE60CE52DE4024E91B8C1B86A47A8E78885319,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:20.509{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54068-false10.0.1.12-8000- 23542300x8000000000000000839487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:24.696{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF0B9FA5064E92198551028E6A41F4AC,SHA256=4E69E514AE3F52384B6217B7B164EBB3D4B9F24C901625360A800E5236A2F86E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:24.776{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A816A97713C61DC5ECB37A7B7C8009,SHA256=D8528674A23D13FBAD806E419C8814C47CD42D8E29506DC493AFC3BB67EEE89C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:21.986{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50470-false10.0.1.12-8000- 23542300x8000000000000000839488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:25.784{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E8A7948E9463D929E566B1994C009A1,SHA256=3734BA9EBFA3B4942AF0663F862A800A252BE52140E27431108D65587CDCC2F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:25.813{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11681EA0468AC0C634F25F424A87B3E0,SHA256=3819D5091C289F1C68CCFCE3545BDEBD195606F42E5A95F9CF7A2827DB03C69E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:26.857{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2907A875EA6975E8079E6C13838F87D,SHA256=92F00602CB3F334809A2430618B03A79074C54714C4CD1ACCA162DC609C1E887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:26.872{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B96C2260E02E46400FA48BFE7932FA,SHA256=D7DCE8CE2A6123875D96552123FFED129FB0F23D6344AE572433CD078A079883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:27.938{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93FC8F872625312B601576F019BE0897,SHA256=F7E87656EFD61506D7DDFAB7F904A56F04288D1D72C2365EE24CABC88048748F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:27.953{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95CF1298A926BC020BCFA0948672F24C,SHA256=63A21358AC46DE92B476BA0BB015A8140FF8554B623AEE87822980FB61A9E988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:28.452{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\respondent-20221130082953-062MD5=683651717EC8DAC081C38E211BC7EBA2,SHA256=5740F9BFEDA541BBB683F557CBD7668BC17497F3A3A4C7CEA871290E93407AD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:25.588{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54069-false10.0.1.12-8000- 23542300x8000000000000000839494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:29.464{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\surveyor-20221130082951-063MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:29.007{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C95D960B7A05181CFAD9F5D3EC69F6,SHA256=DD0A76CA7655FDD43489F8B01020B51215F02E667A9E827999CF95F8054C0E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:29.025{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25CCE25AEDFB3301CDBEAAC9F365DFE3,SHA256=610EEC315B4B3C45218DF74A5C048A6F384E9117A22EA5844D7B6F36F60688EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:30.069{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4C7B44AD4D0165CA56E5E83312F355F,SHA256=3A50B212DB78D7D258398C715189C1BC398A8E6DFFF36242354C1032E3801580,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:27.824{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50471-false10.0.1.12-8000- 23542300x8000000000000000393011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:30.102{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE1A3472F1427ACC22B5F2EF2AC96323,SHA256=A79A1EA347D13605C5ACBAB975973ED092A5C3EF8D38FABDB5D87305139131F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:31.172{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E34AA276AD1A2E1C74620D17DCAC470A,SHA256=3EB7D1BA5E804597AAF2638E2B1703195D375C482627256E4B1FE7FAD8846B34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:31.144{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4AE4EB17A06A50232784B8AB0A50BC0,SHA256=0D645E06FB9C3BEE2CD9B8F4BF03E8E65B33E25B1CDAAAECDFE4A37DE769819B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:32.249{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=838F72177726F96F2F0BF0B1FB89DF50,SHA256=C15A1054F33FF75489777706A1E5E428996A8C5D862B07DA621B5920DAD554A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:32.218{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B67DA520624BC372FA8A8F2FC93F5DD8,SHA256=6C4ECBC3D8519EF4484C9A87E49D6313C54079DDBBC4E976CE7270E6CE3066CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:33.326{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C47AF4B3E20AD2063F3E276626C2444A,SHA256=E9E83A25614D51D2094285105F08AA66FA58FDB2571D897CBBD73AF2245BC682,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:31.584{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54070-false10.0.1.12-8000- 23542300x8000000000000000839498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:33.298{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F8B712EFF13D381DBB9700C25F83F5,SHA256=022E6D482E08FA7527D426640A54B4DCF902A40844556031A07A29B158423617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:34.411{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B4779C173F7920FC1BC67811C04787,SHA256=6FD2E4C3EFB4FAC290F005881BEA862F40489E7EA51D896B84B2EEA40040434D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:34.373{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FAB987E68F9E2A66A2DB39514809A98,SHA256=C1046454C26C8186ADA7E7BDAB2668CFC79A188ECE4D83B4738674E00227C08D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:35.490{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3179A6067891D1E132F487CFB7E585,SHA256=CCB656AE8FA7250E94C8474CE0D954D7B23B3B983D1C8202E884BC6C482D9748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:35.459{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E818DA4CA715EC93B8AA43FB4F451719,SHA256=6443999ACB05030A77CB2FECC58BA789D5E94E227A06242CF00160CBDCF60534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:36.692{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9DA78DD462A170F12635670D90C97CB4,SHA256=4387E2D0FB805B1D1E5FD11F349D94268CE277FE7BF726154AA685720F8F0BEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:36.549{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B16DF7EE315C9B307ABA7143CA6DCF2,SHA256=086775FD6A94C319D1881B64BDBF5320E070C569D9DEB68E0FE6F315958511CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:36.562{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D5E4FBF66E8B149D498BEABC99E037,SHA256=BC3ED7073501D8DFE4BD44FEE909F35E2BD15CF7CAFE0FCE1C8A97087A42C321,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:32.917{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50472-false10.0.1.12-8000- 23542300x8000000000000000839504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:37.617{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C52E468D8D9F71A2D7E4EF1200458B93,SHA256=987FB52CE3B3C8F17A1B8F1A517BFCBB4D9E02CC23C597AE43728068A0E437DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:37.653{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27B09E67178CC98D3E07CB3ACEBDEC7,SHA256=3EE4B8766B2E6DF96543A3A709BBD8050F69612BE08772D2B78BF2065F9D8168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:37.153{E56ECBBF-146F-6387-1300-000000009902}304NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=65A1D612A36DC585CBF32E79B41F7B26,SHA256=A55A0B9812DC83DF0D119569D7113FEB354C6EDF97D9ABC92CF51FBE6174E2EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.705{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.662{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DAC4456FDF100D9ECAAB66FD62315D,SHA256=3C54B71FFD81C0B0874F3234269C4531D26D990EE0C5BE0FF726DD1927A61969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:38.729{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA660D088E989D7059AA49530D41A1C3,SHA256=C1EEB6A62FFE6228321EFD518A421918F408744B12A2B0465F61F76207580517,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.327{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.324{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.312{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.311{8A63456F-1471-6387-1000-000000009802}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=09519B5201A0D0F4FF8EDB609355605F,SHA256=C840167CC9090B0EE79B2D801B309AAF3D6A2CB9E8F7A80BFA4599C3A4E937BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.308{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.284{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.282{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.280{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.273{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.262{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.258{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.256{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.254{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.218{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.210{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.192{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.185{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.172{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.165{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.154{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.138{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.130{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.118{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.106{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.058{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:38.055{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:39.723{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC3460A6EF8E2B0F71EE9C995396FA3,SHA256=927197E8367FEB537EE3AE92EFBF2C808A2BFB7519D82C2D1D29B97B27755D19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:39.804{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E9E243A49CAD3B9C55F64F17861EFA5,SHA256=A42291F9AD427150AB54B60EE39BF64DE045D16AED35CF05480C7BF55E2BB7D6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000839543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:34:39.660{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000839542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:34:39.660{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003ba0e4) 13241300x8000000000000000839541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:34:39.660{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d90496-0x95cc4fe6) 13241300x8000000000000000839540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:34:39.660{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9049e-0xf790b7e6) 13241300x8000000000000000839539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:34:39.660{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d904a7-0x59551fe6) 13241300x8000000000000000839538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:34:39.660{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000839537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:34:39.660{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003ba0e4) 13241300x8000000000000000839536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:34:39.660{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d90496-0x95cc4fe6) 13241300x8000000000000000839535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:34:39.660{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9049e-0xf790b7e6) 13241300x8000000000000000839534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:34:39.660{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d904a7-0x59551fe6) 354300x8000000000000000839533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:37.547{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54071-false10.0.1.12-8000- 23542300x8000000000000000393024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:40.883{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8AFDFB0A890DD40DFBB2EF1CCF0E128,SHA256=93E1DD31D5656BFFBF3CBBF9FF260DD3C137EC7671A0F8050A0E19D9D92FACA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:40.801{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687514CEBBC3BD405E830EE4FCC9BA19,SHA256=4BFDF737A56581838109DDCDECE007263470EAE72EA9957C243F362FF58599EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:40.743{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:40.741{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000393026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:41.970{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C918507C0E90EEEE8D25D8430C09D07,SHA256=935B4C1FE6E4FD4F5542167D97873D19B4CBAC949159E540CFDFCC4BAE09CC90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:41.762{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02AC70B10DC5391308EF4585D92399B,SHA256=CB548AEDD53A4248798CA6B67B51E6278FE497B3EBE671165CE372C16EFD9FBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:38.865{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50473-false10.0.1.12-8000- 10341000x8000000000000000839554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:41.266{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:41.264{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:41.261{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:41.259{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:41.258{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:41.256{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:41.256{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:42.849{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F13A84B70ADBBCEC9FBF38719C2EAD3,SHA256=2F2930F6A0CA03B52B727AC1BEF4D8574847542616CEFA818C04595617703F56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:43.925{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD15CA293AF73E06C1ED5EC99512A8C0,SHA256=B535F0A6A6CDACD7D09B53A5D76F55E1C89675EBBE7355E2F178647E11B2168B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.639{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.637{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.635{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.633{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.632{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.630{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.629{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.627{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.625{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.622{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.621{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.617{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.614{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.608{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.602{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.600{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.582{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.574{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.563{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.557{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.551{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.524{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.517{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.509{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.501{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.493{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.487{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.482{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000393028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.477{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 23542300x8000000000000000393027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.048{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B184638890AFA48989E3BAE74D72A276,SHA256=B735A8C062B84736FB93403FB950505D32C040AE2317BF9FC871339CFCAF0D12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:44.324{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F7F4FD1D868B0C0E8FD0A660EADCB64,SHA256=6CD912EB714335988FF9B532A68FB31F0C531FE822165410CBE890ADD4E7659A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:45.403{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37850C1CA5D45160D27E772E53899561,SHA256=61D0AFC10DB6A00CFFE146D3EECC9E4FC4FA115C57EE0A4B1F38029FAB9F289C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:43.510{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54072-false10.0.1.12-8000- 23542300x8000000000000000839558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:45.008{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B7461E611D66A06EA108D326AECCF4,SHA256=63134424862D34B0F8CC0551FC3261A51C74E72DD775F775429C438542A3FEF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:46.465{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881D73D8C0C158669BB021FA5AEF59C3,SHA256=A4301D662BA067B372E4625D23222A1620E3AF2FC2DB13D4C54E51D9378626D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:46.083{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=998ECB8EA07CAAC2FFBFFDBE72735884,SHA256=755ABF6F07550A42C19A5FEE81D7A33547E8071606CF2BD793BE015563EEEE29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:46.221{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:46.221{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:46.221{E56ECBBF-146E-6387-0B00-000000009902}6441464C:\Windows\system32\lsass.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:46.207{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1E00-000000009902}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000393065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:47.546{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2391EBB3ED065507EC361CFAA6578E33,SHA256=F2745D299D14D24BDD94E7D417930B44BB33D705C16E54C4EECE37FBD0D637E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:47.174{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD26E86A3FDE8FEBE21A0A5B84CCD92,SHA256=5CD7E788EEFA3E54DB607C6F90C2BDDF40C434B0F85297C2073AD0235D747F17,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:43.988{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50474-false10.0.1.12-8000- 23542300x8000000000000000393066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:48.619{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C46FE812384A37BD67827E6D164E0D1C,SHA256=A205A8970C61EC836B66C2A47113995DB0AE7486B63CC0594360F844E57C5A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:48.259{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A211983C783F952FB88788443225D7,SHA256=F59551FA691D421FD6A5A9ED13A91848CEBCC2A9F0A1EF9B1D6B5B30487271C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23B9-6387-6A02-000000009902}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-23B9-6387-6A02-000000009902}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23B9-6387-6A02-000000009902}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.854{E56ECBBF-23B9-6387-6A02-000000009902}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.697{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=041B7EA0B965D94A39809399566938A2,SHA256=4E8D345FB47E2C5E53342FF0514A7FBD6F43C69942B4C1A5928F5001F07EBFCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.650{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:49.338{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C42C1A3BA16F3CFF91B9AEE27850E83C,SHA256=F22E07CFED13E7FE3B6BF66209DDD13734A3BC18EECB8FF708EC3F7EBE591502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.984{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8176AD386DE268A2B5AE80841733D956,SHA256=4E2AC6C9308C2D9E9F3A901CF9E4DC5F4CA102A1927539B01ADAB75AA099F0CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.984{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=110435FDC69B8CD4F2D5D16A92882BAF,SHA256=BAE588681EAFACC8A757B53CF12F8B381F15D96D378F3F956640330033D9E2D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:48.611{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54073-false10.0.1.12-8000- 23542300x8000000000000000839564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:50.429{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BB6F89961556267716A32F4A725CC57,SHA256=80C0D2952F44173876E6D15862BC7B4E8D152E84EB5DC9836984F3E69E9D1F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.632{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CE391B3EA6F05763FD01915BEAE84EBB,SHA256=F55A9F352F17A4F70C540A684812CC680E31E46A413991A41B51AEE066C19F88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.592{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-23BA-6387-6B02-000000009902}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.592{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-23BA-6387-6B02-000000009902}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.592{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-23BA-6387-6B02-000000009902}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.534{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23BA-6387-6B02-000000009902}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.534{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.534{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.534{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.534{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.534{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.534{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.534{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.534{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.534{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.534{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-23BA-6387-6B02-000000009902}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.534{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23BA-6387-6B02-000000009902}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:50.535{E56ECBBF-23BA-6387-6B02-000000009902}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000393082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.994{E56ECBBF-23B9-6387-6A02-000000009902}11963708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000839566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:51.520{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAF3003ACB6042A2E427C639D92A896A,SHA256=B619444706FADAB078B09A79338374F709C516B953E839D97C5113C5F19BFE68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.856{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5C48181E9315F7EEF70FF94B07DDA0E0,SHA256=40B5DFEC889EB510AC1443F75E868EA2941C0F9ED96B2B4E5DB336264243A13A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:48.390{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50475-false10.0.1.12-8089- 10341000x8000000000000000393114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23BB-6387-6C02-000000009902}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-23BB-6387-6C02-000000009902}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23BB-6387-6C02-000000009902}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:51.404{E56ECBBF-23BB-6387-6C02-000000009902}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000393118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:49.853{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50476-false10.0.1.12-8000- 23542300x8000000000000000393117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:52.192{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2BAE03110E778FCFD24D4BB0941365A,SHA256=F6D418DE067BECD6A40D6359893AF0CCFE7AEE2F4372C5764CB74F2CD05F536F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:52.876{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:52.607{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=583409B89D5C25CBC577039494EA7A45,SHA256=15372888EB298250625D840222E2B02881BA888E4884AD15AEAD282E9B14D454,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.938{E56ECBBF-23BD-6387-6D02-000000009902}31522304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.735{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23BD-6387-6D02-000000009902}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.735{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.735{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.735{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.735{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.735{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.735{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.735{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.735{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.735{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.735{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-23BD-6387-6D02-000000009902}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.735{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23BD-6387-6D02-000000009902}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.736{E56ECBBF-23BD-6387-6D02-000000009902}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:53.290{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=179F47556D6339C793E05C05596A2423,SHA256=5E5A22BFC260319498847155EB86E957D86109645C7545C83387E1A4A06FDA18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:53.688{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBF4DF6EAD2E3E84F649BF5060D5906E,SHA256=A5CAE3EDECAC5EFFBD51827067824894C5C9CC6D180FF70898E8D848E6745432,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:52.305{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54074-false10.0.1.12-8089- 23542300x8000000000000000839570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:54.776{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A419F9A46A34CD7C064EE0FEA976DA,SHA256=2377F41F56BD468BF86C2329E822C139500C82EB01312F1BDA7C7D89829C5231,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.557{E56ECBBF-23BE-6387-6E02-000000009902}15121884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.400{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23BE-6387-6E02-000000009902}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.400{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.400{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.400{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.400{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.400{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.400{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.400{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.400{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.400{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.400{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-23BE-6387-6E02-000000009902}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.400{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23BE-6387-6E02-000000009902}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.401{E56ECBBF-23BE-6387-6E02-000000009902}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.369{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4BAD6461BFA87EA9E215D7ED6BEC43,SHA256=523F729D0DB369B8E1A17F9417B014514685603798BE7B7B0B94949063FCB8EB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000839573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:34:55.911{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d9049f-0x01b66b3f) 23542300x8000000000000000839572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:55.864{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502BB15BB296799FD466D167169C2A44,SHA256=B99F33A44C9FE5D4EC610D22ACA87018CAF8A19D6EE807FC093B1592F907E14C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.485{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362CAA1BAA9471995C33BACBB064A653,SHA256=F877D6CE9B256D5618BA8D9BCCD7C109CD8B5E36343A60BE00BC74AF08BA4D9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.220{E56ECBBF-23BF-6387-6F02-000000009902}3080868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23BF-6387-6F02-000000009902}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-23BF-6387-6F02-000000009902}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23BF-6387-6F02-000000009902}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:55.095{E56ECBBF-23BF-6387-6F02-000000009902}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:56.952{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE27ECE74AA74F3EB6B72E57147D232E,SHA256=67CD59C5DAEF7C7B45889581BC25997E6CB62D92B5350BC3D3FAA0CD151C4B9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.638{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4AD6605DCB8545C68D83977007AA7C4,SHA256=73AD1041FBE77FF8CAD2C7473ACC97DB0CE5ED5F7BC2A2404E1309BD6566D7A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:54.612{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54075-false10.0.1.12-8000- 23542300x8000000000000000393177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.176{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80755D31A427CCBD28EE6FE9F5823198,SHA256=382E9EDB4E632A4E3F1334CB3A40659DF756613AD23997BB61C6D1214F2E49B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.014{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23C0-6387-7002-000000009902}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.012{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.012{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.012{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.012{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.012{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.012{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.012{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.012{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.011{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.011{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-23C0-6387-7002-000000009902}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.011{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23C0-6387-7002-000000009902}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:56.011{E56ECBBF-23C0-6387-7002-000000009902}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:57.721{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E611DB19A6E6F1147A49B8090E34E4,SHA256=06965FF67CCF99A4E45E33C3388411F03DBF6B07C256FAF20D387DEB21087BC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:54.962{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50477-false10.0.1.12-8000- 23542300x8000000000000000393181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:58.797{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF3E18691C14B03EE5D008B8D945AE8,SHA256=DCA87B1710E23E9EB24C4BEBB133C7875FAC1AE9D80A688F8B5F33A3DE49A172,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.842{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.326{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.320{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.311{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.308{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.290{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.287{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.283{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.276{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.267{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.264{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.260{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.258{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.221{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.210{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.197{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.190{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.184{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.174{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.167{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.159{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.152{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.144{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.134{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.075{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.068{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:58.048{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F0267FDEE84F72C11BBC25AFA15F47,SHA256=DAEAF11FCD1FBC12979056D21D0D6E798F2625EF5F1101B41ED98D9E93911754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:34:59.874{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=521471CDCC89F039988ED7F5B8BC2086,SHA256=F149C581D63A6CEF62C24A5CD18F2364A69DD15E1320E652419A683EBD2FFB4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:34:59.068{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D3A6DBCA4D8DAB1E4CBD7200C681ED,SHA256=89D21AD7CCE19FB43AADD53138351F5D077DC1F31A8FEA7E0100208E73B025BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:00.966{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C64CC8FCC995735BB80DFECC8E17BAA0,SHA256=89012E2FA3A2DB9CF06B1EDA46A67E1B2E4906E5B77E10B4EBCD98386A240818,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:00.885{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:00.883{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:00.171{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E0B77528913DBCC9ABFA41625EF4D7,SHA256=9561802DB3706D045987FABB3DB2F682629E2DB4F59FE0D99C5DF9D50FE4B1FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:01.861{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:01.861{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:01.861{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:01.849{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-3100-000000009802}2952C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:01.404{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:01.401{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:01.399{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:01.396{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:01.396{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:01.393{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:01.393{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:01.236{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=900187C84A31C4BCA6648F94B1ABEA5E,SHA256=22BBAEBB9322CDCE1EE1E1E6BF897D23CBBEC6E290E815E0977ECB7CCDEED227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:02.312{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98171680EF205EBEBD48D4C78F3DF95,SHA256=F818CC698CE28B254F2FB19A1475DBCDF50940C2227453F941F6F9FB93A6319D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:02.026{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BA126820C30D4A3B5F1ADDFB22BC5E2,SHA256=879298DF4879C891303750CFD5ACFF48BD1235FA09DD92D93F4C984F00244785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:03.394{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE83442D1420C8F62F46F7DAC8237C2,SHA256=B654C8D89F84D2FF8116A403F5BAE35F4FCDCF7AFFB3AD649887CBB5DD48D4B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.652{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.648{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.647{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.644{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.643{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.633{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.632{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.631{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.628{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.623{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.621{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.613{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.610{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.601{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.594{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 354300x8000000000000000393200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:00.797{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50478-false10.0.1.12-8000- 10341000x8000000000000000393199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.591{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.579{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.573{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.564{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.557{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.546{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.520{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.514{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.507{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.499{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.492{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.485{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.478{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 10341000x8000000000000000393186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.475{E56ECBBF-146F-6387-1E00-000000009902}20202848C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E003D0) 23542300x8000000000000000393185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:03.106{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C85D1CB732DF73568144C5FFBF0E171,SHA256=E2A977A93FE0DF7BE1C50A93A9BF63476DFE476B1D5E88FA83EB8F80858F1A1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:00.540{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54076-false10.0.1.12-8000- 23542300x8000000000000000839622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:04.475{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B650A59CAED9EFC9505395562A6666,SHA256=B1F2B49E516DADB00E79CF7740DB4148B9D88F876050CA67BF62C72A7BD7E8FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:04.440{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515FBB4EBB17139F363805E98F36ACB4,SHA256=403435492BBF22FB924483BCF1361C60A55ABA887A84C1B50A3B5C65D96811C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.928{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A64409F0D1FDA62DE1F7837B3D6588B4,SHA256=13BF1160516AE172D5379D86CC5E42987C5A171F313C06EBC72C5AE60A2AB4C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.551{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF662315F531339E09D3E0299ADE7BF5,SHA256=677442058C899D00A8DE58503A200B67D06672410F7982F5F2B95A3A055F139E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.520{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-23C9-6387-7002-000000009802}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.520{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.520{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.520{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.520{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.520{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.520{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.520{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.520{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.520{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.520{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-23C9-6387-7002-000000009802}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.520{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-23C9-6387-7002-000000009802}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.521{8A63456F-23C9-6387-7002-000000009802}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:05.504{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F8EEBE386F6C179AD8AED9156957A07,SHA256=E5CD3080BE48CD73C81480E0DA268D8ADFCF3953DFCACAAE7EACCFC90E47B8D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.239{8A63456F-23C9-6387-6F02-000000009802}6203880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.020{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-23C9-6387-6F02-000000009802}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.020{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.020{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.020{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.020{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.020{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.020{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.020{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.020{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.020{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.020{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-23C9-6387-6F02-000000009802}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.020{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-23C9-6387-6F02-000000009802}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.021{8A63456F-23C9-6387-6F02-000000009802}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.917{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=17EBF6BC417FEFF6F51BACC65E214F88,SHA256=07557C844A87158B74B158B26CFA434BCF3FF04284E5EBB166F341DF4CFBBD7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.804{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB7471D3AF3AA5C23BB90BC86B81A2C,SHA256=3B82648AB029169DAD9A8BCC3488147A3EC9CFFA178755D3EE2700254D65DD18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:06.607{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59EFEF538BCA0210E64FBC4B6640FC9A,SHA256=CC51C02F0E81171F010212460E7278FC9F57D64934F752BBCD9A615873FDF056,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-23CA-6387-7102-000000009802}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-23CA-6387-7102-000000009802}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-23CA-6387-7102-000000009802}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.178{8A63456F-23CA-6387-7102-000000009802}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.115{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1B52CAD7309F7F95A97B32972100898,SHA256=8AA478EC6EF45B023FD72E77CD5A56D71F69E421742C5F040901956F2FE615DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:07.935{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F0D40A7A51959B07600795D8003791,SHA256=98369CD96E71866B0EFA99C98694B3CBDE721D008CDD3148FE69D4BBA006B981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:07.692{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF430BF81321ACAE388B60CCE40959B6,SHA256=0ECB170BF7CA4BA821A91997732DC8BFB1693FBA5BECAE64AA1E2656AAEC1FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:08.763{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47024ED2A537C81C1BDA22E18EF0AED2,SHA256=7BB2EA87D6BCA6537157A6EA235D6E2D89066615A560DC99B7CDA77164BBE0DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:05.853{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50479-false10.0.1.12-8000- 10341000x8000000000000000839684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.565{8A63456F-23CC-6387-7202-000000009802}4512880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.393{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-23CC-6387-7202-000000009802}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.393{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.393{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.393{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.393{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.393{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.393{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.393{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.393{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.393{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.393{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-23CC-6387-7202-000000009802}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.393{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-23CC-6387-7202-000000009802}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:08.394{8A63456F-23CC-6387-7202-000000009802}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000839670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.826{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54077-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000839669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:05.826{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54077-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 23542300x8000000000000000393222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:09.845{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC1AF881FE32FA80C8747CE7E9B2274D,SHA256=340B41DEC545B22979685D2CEDFDD83C2A1AE78E5869855FB3EF0754C5613854,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.919{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-23CD-6387-7402-000000009802}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.918{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-23CD-6387-7402-000000009802}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.918{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-23CD-6387-7402-000000009802}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.913{8A63456F-23CD-6387-7402-000000009802}18525076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.583{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-23CD-6387-7402-000000009802}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.583{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.583{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.583{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.583{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.583{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.583{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.583{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.583{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.583{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.583{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-23CD-6387-7402-000000009802}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.583{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-23CD-6387-7402-000000009802}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.584{8A63456F-23CD-6387-7402-000000009802}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000839700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.332{8A63456F-23CD-6387-7302-000000009802}47601936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000839699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:06.535{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54078-false10.0.1.12-8000- 10341000x8000000000000000839698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.066{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-23CD-6387-7302-000000009802}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.066{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-23CD-6387-7302-000000009802}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.066{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.066{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-23CD-6387-7302-000000009802}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.067{8A63456F-23CD-6387-7302-000000009802}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:09.020{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10934DF737F610A218581A325610C6A,SHA256=C10BD3BAFE84719029B4E1E5521C92B07B49ED90D03219150995339B099A155E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:10.938{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23EFBF6F3DE4C8578FF9B24E3891BBF,SHA256=AD12C6FA8179DCD790FC0AEC168DFEF438E1E5C0035435AF2170AD06E221A177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:10.151{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C678113BBC5C63FB4192D6961A01C371,SHA256=07E0E514B98F2ADAFB209A28819E08C10A3F0146A9D863A528494104567635E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.914{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-23CF-6387-7502-000000009802}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.914{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-23CF-6387-7502-000000009802}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.914{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-23CF-6387-7502-000000009802}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000839732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.828{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-23CF-6387-7502-000000009802}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.828{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.828{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.828{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.828{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.828{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.828{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.828{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.828{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.828{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.828{8A63456F-146E-6387-0500-000000009802}412544C:\Windows\system32\csrss.exe{8A63456F-23CF-6387-7502-000000009802}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000839721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.828{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-23CF-6387-7502-000000009802}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000839720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.829{8A63456F-23CF-6387-7502-000000009802}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.191{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52CA74508979C649E38D87E1DA736A39,SHA256=B8C3EFBD8BE077ED776208B0FE0DFE8DB9E7FFF3DD2C4C106E5E74BE498E36DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:12.015{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8FD135A0C6B1156A68513C1A6A5CCD9,SHA256=7D1655959BBD6D79C6258DB147B23D1A587FD4C340CC23C73F065663B165922C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:12.916{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51DD8FF2BADB9CAE6BBF7CD6F2D98679,SHA256=2D2F79A7937894FEDF3DA47DEDE739DE22CF3FD2559553CF6420DF54FC3CAFD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:12.251{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EBDA0A4EF565F90E27F401331A63B2B,SHA256=58C56FECCB8627FE20A9F7510F6B4D8D8430C83BC541675D8BFDE0F972E38211,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:10.966{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50480-false10.0.1.12-8000- 23542300x8000000000000000393225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:13.097{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50274E5A92363F628F95A26177272A28,SHA256=31D0C4094A08AB763F26F366CB15C826B9448A15577B0528691E78DC098B6663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:13.330{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51735C59663A10D544F9C015A7150D8F,SHA256=876AA36E8D87D972464C83FB5730026AD6F7D16C0FDAD774864355F38CA0FE0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:14.166{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF3F956527DA3935C952287807A7970B,SHA256=D8CF2EDCC0DFE1A26104D38FF48370C706B584089538BBEAC0FBC10796B2F6C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:14.393{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4429273303109F533AB47166267F51F2,SHA256=EB6A44805153063185A3F2ACBDB1E2C65EE8A1178B284F34C0EE850B627033C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:11.571{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54079-false10.0.1.12-8000- 23542300x8000000000000000393229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:15.579{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\respondent-20221130082938-063MD5=1A32CBE424C0FD56A19B8799D3C64243,SHA256=EA6D997F19314B6150EFB9A20554F04E0A1C60C572E1FF9571FF112B025B3E6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:15.260{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BCFEFBABD479D86BF1AA43FA04F6DA,SHA256=D48E21F89558DD8AAAF4700BEC4DF3F90ABAF08B19D499E9DA2DBB07BD2A73A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:15.486{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0B3FCCDB068ECE76CAB21B8F7568EB,SHA256=8A782F33F179156A42F3BF1C0EDD4887BA1FE224F67C8EFCE7ED7994F47D88A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:16.588{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\surveyor-20221130082936-064MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:16.321{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD4CA8D8ABD2BF03068F9E7B6A8D7D6,SHA256=C9C2BBB4BA67A9369C188E8F541550FA65EB81920648810FEE239892FBE6359E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:16.582{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=394A99300B55E3F6E2236EAC9B02A8C0,SHA256=8C3DBEB3222C357A7411401972D20C796199D88F1211DDE6F0A6ECE44BFCF8DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:17.411{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E390537AD41EAD2DCDEB0455DDDA9F0B,SHA256=7F3B1C12BD2762614C5ED6B39457DEB42FB0ABAF75E172865B64E73B6852F001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:17.664{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CA409F54E9D3A61532E089CD80E8574,SHA256=2095C23053D4C32EE0EE3A3C00F75EF0D2CF4540D1847A2461D1FF672E67279F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:18.474{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431EF42DECEABD81E7BCF23297936506,SHA256=D9F8DFCCC3B642785340DDF8BD9A50D929BFF1B7D871A2C7B1AADF1B472C6E0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.926{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.713{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D62382D390FB1C5AE2CEA0C92AC3177,SHA256=51F186E3CBB1F44D7B1FA336983B3013D21CD4E93036CA9102C48E9D9D9DFE6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.366{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.362{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.353{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.352{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.331{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.327{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.324{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.316{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.307{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.300{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.298{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.295{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.245{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.230{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.207{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.199{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.188{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.177{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.166{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.147{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.141{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.131{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.122{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.056{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:18.052{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:19.761{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED81B62E87F93E19903CA5CC5AD20DA,SHA256=AE707D78FF99DF338C049E98DB294F97F94062CC21E4DDBEA148E48EE19B17D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:19.557{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB09B86E5BA222492126B33B08116FBD,SHA256=CC8E369CFC86F61CB37825C203D1E1A3483E0FFA28DA7AC47D50415592441970,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:20.949{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:20.948{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:20.819{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E0BFE0E6DCC7C094284DB7320D5DA18,SHA256=E0B2343793D4CD3CBE1E6B67B50418830809D22F81AEBF133110C7BD53E7715C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:20.631{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44B8F91069984E28BEBD23C29BEFA61,SHA256=634EA32AC04A2F674B4414A98ADAB9C0D064D3ECDEF6CF3798B33BD52EA47EE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:17.578{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54080-false10.0.1.12-8000- 354300x8000000000000000393235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:16.925{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50481-false10.0.1.12-8000- 23542300x8000000000000000839783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:21.888{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C9843B92305A22CDB92453B07D9F80,SHA256=5243EF28E7A67BC316C48A017676D9727FF7FA7C14A126D5B6ECEA27CF07D4F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:21.709{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C6D32F3F6B62272E0FEEC3D6FF4E79B,SHA256=3E490D2DBABA6D0A60DF75D1891DA5103B7C97A887532BAD2BB549FAA7C2F905,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:21.466{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:21.464{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:21.461{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:21.459{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:21.458{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:21.456{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:21.455{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000839784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:22.966{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4274E914F2C8DD6DEE120B0972B30EBE,SHA256=9BD1BB0051E01112A686AE5B05CA29D294F95DA768E0257F503A8BC9F1149421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:22.781{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E563E5C7219C65D6BF9FF57378923A75,SHA256=4C6FAB0DB4CFF1BC851A0811CA3AA9C40A3AE370E21C3CBC2278F8161F3EC21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:22.046{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=976B7F4A403E86238F92C0AC48A34BC3,SHA256=8BE106929C936056E2B655823F1724529005EB209D861AEE7E61A24B25F6F70B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:23.876{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:23.876{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:23.876{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000839789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:35:23.029{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\1DB41A76-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_1DB41A76-0000-0000-0000-100000000000.XML 13241300x8000000000000000839788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:35:23.029{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\DC7B3D7A-FCBD-4A1A-80F7-E8A0928D4E77\Config SourceDWORD (0x00000001) 13241300x8000000000000000839787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:35:23.029{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\DC7B3D7A-FCBD-4A1A-80F7-E8A0928D4E77\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_DC7B3D7A-FCBD-4A1A-80F7-E8A0928D4E77.XML 10341000x8000000000000000839786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:23.013{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:23.013{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.645{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.642{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.639{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.637{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.636{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.632{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.631{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.630{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.629{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.625{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.623{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.619{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.615{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.609{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.602{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.599{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.589{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.582{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.573{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.565{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.554{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.524{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.515{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.509{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.494{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.488{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.480{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.471{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000393240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:23.469{E56ECBBF-146F-6387-1E00-000000009902}20202852C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA610) 10341000x8000000000000000839803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:24.880{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:24.880{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:24.708{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:24.708{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:24.708{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000839798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:22.480{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local50107-false10.0.0.2ip-10-0-0-2.us-east-2.compute.internal53domain 354300x8000000000000000839797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:22.480{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53831- 354300x8000000000000000839796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:22.479{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53831-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domain 354300x8000000000000000839795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:22.461{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54081-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local135epmap 354300x8000000000000000839794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:22.461{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54081-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local135epmap 23542300x8000000000000000839793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:24.032{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85BBDF5D99B0012B9CBEBFE12171C7D2,SHA256=32DE918B7840294DA617636D6F0763EE25CB3BEE2AC324500DF3FA5D487DF12D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:24.019{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FDCFF4CFEC48920AC20899C1D3D19DE,SHA256=1E207AC196E63A508B4664F85BE47CF3ACA4C7698F1A03EBB7F1D63FAAD7A238,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:23.321{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54083-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000839807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:23.321{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54083-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000839806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:22.616{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54082-false10.0.1.12-8000- 23542300x8000000000000000839805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:25.114{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA7B368F74B102001ACDD9974632066,SHA256=06C2DD81605D70243A2BDD7B12EA2C1F3606E2A16A8A4018DBB2B84899112FD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:25.057{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E67B73172CC8A70D8C4A4EA9B473F3E0,SHA256=E2278736D71FB7F0566C62BB43CBBEF1726C6B6D83BA48C01BB6BF12A8EFE2A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:25.005{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F12C2CE4B8F384B7DCD0D42FA67C0020,SHA256=A4848F507793CCC30E5311DDE1C0DEB7E415650CE4FCBE4ED9BAE533F16734B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:24.153{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54084-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000839810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:24.153{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54084-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 23542300x8000000000000000839809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:26.184{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E75ADD436C7796B637548800B7F2FE7,SHA256=18FFEDFEFCDA3E7DE472C770D2562834A24401000FDC0342224E33393B48B6B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:26.132{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96FE50F436684D5886F3FD905A7F33BB,SHA256=CC8AC42D09EBD16DC0146C9E9033D009456F1A167C7DBBD7BE076FDBF9C5F650,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:22.773{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50482-false10.0.1.12-8000- 23542300x8000000000000000839812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:27.258{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC4870982D7A8E13932FD47D66BF428B,SHA256=9260058A090EFBFD0825A625E03E1F905DB3D34C050CD383440AAD8BD20AB309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:27.198{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7186EC9BAAF34A01514344EB0DD186,SHA256=269D576F45A22E2BF14C7E9BC1FD310208158ED988AA79BFFA5844913F51DEF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:28.276{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F99D61645BACD4244578383FCD8A79,SHA256=4771FAE2F8F38EBD68EBD9605AEDEFF320ECC342C4C9F4476FDE92740FCFE17D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:28.321{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FC3A17EDFFAC8D7DB48979C4D8E97B,SHA256=6B3AF995C0BAD33B30FBDE71E074730A7A8F23BC7B33D7B9A1A535E737613EA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:29.348{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70BC9B19A7A47FA6D24E50E660719E2A,SHA256=E5301EA1C930973E71E2FCBD63D497B846D5DD27AAE44B2F525CD24514C8833C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:29.998{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\respondent-20221130082953-063MD5=683651717EC8DAC081C38E211BC7EBA2,SHA256=5740F9BFEDA541BBB683F557CBD7668BC17497F3A3A4C7CEA871290E93407AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:29.392{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03EA4EA072417C5FE53B0907C16C90FB,SHA256=64D8AF73B07FACC7A8ADC47B29D7822920A4F67F475A12614D6FE32D8B5E43DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:30.433{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C4EDD1965594BEEF4F2A5F4325873AF,SHA256=EC524610B7EDB94AB80F40104441DEF8EE76F4048D5CE3A2F2003FFE295E82BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:28.515{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54085-false10.0.1.12-8000- 23542300x8000000000000000839816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:30.459{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C375A3BA3018612FAD8658FBF1F0F79,SHA256=F23C093CFB2923F291195B2EA9FF97154A11BCB07F82BFA31E649433D3546D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:31.529{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C1868CA3B0AFFF1302E5595154E7B0,SHA256=6A462B685B940F745000209E75F86D6B645DCB8C540805E0896D7F511C7FB026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:31.533{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6436BD6F2A24919C268E5E90F8255AF3,SHA256=4A0128D733491AC6ADF314F96FB7C1CB0156B5374DC0F587AA0C272102C66B1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:31.002{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\surveyor-20221130082951-064MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:32.600{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6830F0B1A9F9D4783053FE12F0763F,SHA256=46A09F316A2B87ECC528FE7B7FB612E78AB0815BFDD139032DF475101048F639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:32.610{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A284B0778FD2F3B1811059C2545403,SHA256=58B7D62B377F529681EF2974EF232E4CA6038F5069FD934619D3DD794C282E8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:28.797{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50483-false10.0.1.12-8000- 23542300x8000000000000000393280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:33.681{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A99819FEC98EB8CAFF781541EE67C3C6,SHA256=243EDE422CF5FBD6B4BC9C0E2EC5E46A39EAF48E809D23390E4D89C8AD9052C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:33.695{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30EE2C7CFCB942B6627847DF7A1622E5,SHA256=CF3670934F233B18CB0434DFD92E5F7CAE2A672BA2D8CD6CE0487F78A864F475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:34.770{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7DD99224DBE2C7E8B7C5673F980B446,SHA256=2CE10ED228FCFA836BC09B2547C6D24EA953EEE9F330C5832F696EF56CD8FA08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:34.764{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C76BB1439C5ACEA452F2EAEFDD93B23,SHA256=8E969EB725F069056B913B3E5D5FB55E182BC22C42828B9F8F1E877E4010FB59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:35.846{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8181948DB1EAB769C4772E612F6CF048,SHA256=6A5B8C4A38E5DFD4E6AB4FA316926BFD834522F851006B3CF55E219D52F84392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:35.845{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C8BDC11ECECE49B083A7A185925835,SHA256=30386873E6A7147F69A0FC58EF4D285E6DE947C7A190CED97E607393E376371E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:36.916{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=201DF9BB6421B6E8E82B4AE40CA01F83,SHA256=4FC0E5878A0BB9820EBFC9457EE40978EDF67AE3E82AAEC9076E91427F4C1EA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:36.929{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62DC6CA7A3312A62BB6A171C126546D6,SHA256=7FC21D348CE49BAEF47794971DD9DB0686F39B408E4BF49B6A8187783E3CA4B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:34.559{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54086-false10.0.1.12-8000- 354300x8000000000000000393285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:33.960{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50484-false10.0.1.12-8000- 23542300x8000000000000000393284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:37.159{E56ECBBF-146F-6387-1300-000000009902}304NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C19F68C1DA0B78DAE08708C38CF0F8E7,SHA256=AA93BE8F24EEFD7E2872C95CCC50D1A03DBCC7D1913E12CFC3D8A6CACF402520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:37.008{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=802C4094F2CA80CF7ED5FC12E75B0B35,SHA256=D3A7E13C261D229809ECBE27D8AD984D6175A5E4CA7428A371C38FADA80AC593,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.356{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.346{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.329{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.328{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000839849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.316{8A63456F-1471-6387-1000-000000009802}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A41489CD5635F78E361F910A6F7126FD,SHA256=68D9E03C8D8B8C19422AE942478308703CBE40C1A3C59A5A44B3404B0A32ABBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.283{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.279{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.273{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.268{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.254{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.241{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.236{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.229{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.198{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.192{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.176{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.170{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.160{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.148{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.139{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.128{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.118{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.111{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.103{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.049{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.046{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000839827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:38.017{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6283A5EB24D0EE783262085EC86B90F2,SHA256=769B613F51CF0E2A5C319DE704341E6CB340DC39CBFEB9CB1667D4B92521AD01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:38.010{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E2B016AC5BE889DFE06264FD5EA35FD,SHA256=DE922C4719119F103A4923AEF8EDA5B29D66FC561674ACCF99B0F9DF80814BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:39.413{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2252B9B15FA05053C6992C6A8B24FF8,SHA256=5051CE51F28C7A29754D269B4CEA47F0C35C0E2799134C96632D2062931C384E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:39.099{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=479B1F4C06B545049EEAF1292DB3C593,SHA256=FD32CF0DA5985A10D2B494CF33571CAC6DD8E6669BD2FF579CD0C1A1902A505E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:39.007{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000839856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:40.441{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E96004DC30A17A1237A272F014CA782,SHA256=874947312B9148F502BE3DB725250C6D0E15AEC1E841B8930593DB3841C7AD9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:40.177{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D38BB17431B08D62CB488AB03159DC0,SHA256=CA603338C0EF10A2016FC5F6FB52D15692E97673689E642633889731A562EB9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:41.561{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:41.559{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:41.556{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:41.554{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:41.553{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:41.551{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:41.550{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 23542300x8000000000000000839859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:41.533{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69642EA317AF227B57B1DE0ABD1673EE,SHA256=41C5CC55417D3DA16D498ECBBFCB3E081907568DF8A0470FF87B23F1EEE81411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:41.264{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C470C17BCE6155FCC957641C9E036E4,SHA256=D5CD6B44BF22EEEF4A742F1FD31CCF16952DFF498426850E9FC159DD16F89614,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:41.046{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 10341000x8000000000000000839857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:41.045{8A63456F-147F-6387-3100-000000009802}29523136C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438850) 354300x8000000000000000839868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:40.522{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54087-false10.0.1.12-8000- 23542300x8000000000000000839867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:42.617{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=665F6B5C56C207697F06C0AF24BC918F,SHA256=05F7E5044BBCDDB6DB7673BB1A5167C511AA8DC83F8480508D83872DEA8095B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:38.978{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50485-false10.0.1.12-8000- 23542300x8000000000000000393290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:42.349{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BC3B0B51013A90EB43073741B7D719,SHA256=99A4C5971278C73D6078494FC8F6514E690BDDC070BB05295FA9D740D2ED4B45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:43.712{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E7CB168FF8212CA7EF259684430910,SHA256=DD8F60D7A97EE60B1CDAAC8C21C579D8A3C0B53CD19236B245F44DC131033CC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.756{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.751{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.748{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.744{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.742{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.738{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.737{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.734{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.729{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.721{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.720{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.714{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.708{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.696{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.685{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.680{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.654{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.647{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.638{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.624{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.613{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.580{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.570{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.557{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.535{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.523{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.514{E56ECBBF-146F-6387-1E00-000000009902}20202840C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x8000000000000000393294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.497{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 10341000x8000000000000000393293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.495{E56ECBBF-146F-6387-1E00-000000009902}20202844C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DBA190) 23542300x8000000000000000393292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:43.427{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C2D57661D288966CB22F597FA7C051,SHA256=19BBDF38EBBF3F59162EFCF2D6F6F3BDFB4FC41C09270AF9C3383AF7B93D0048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:44.689{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC857F140C579FD74A62BD31F304569,SHA256=A452DE9C2D7EB422803E15F6756F09448F4614AC5E89EA9491D8F8C589352FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.827{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9991A773D8FE9FB38BA490485407D9E,SHA256=5641BE1730E90A29439CC269D34C740F0FFC8E7FB7B50F8B03F90664AD44FFE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000839890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.424{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.424{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.424{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.424{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97cd2|C:\Windows\system32\kerberos.DLL+79ec8|C:\Windows\system32\kerberos.DLL+1453f|C:\Windows\system32\lsasrv.dll+2fbf1|C:\Windows\system32\lsasrv.dll+2dad6|C:\Windows\system32\lsasrv.dll+33369|C:\Windows\system32\lsasrv.dll+30cb7|C:\Windows\system32\lsasrv.dll+2fbf1|C:\Windows\system32\lsasrv.dll+17b1d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000839886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.331{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:44.315{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000839899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:43.873{8A63456F-146C-6387-0100-000000009802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54090-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local445microsoft-ds 354300x8000000000000000839898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:43.873{8A63456F-146C-6387-0100-000000009802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54090-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local445microsoft-ds 354300x8000000000000000839897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:43.776{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54089-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000839896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:43.776{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54089-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000839895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:43.765{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54088-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000839894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:43.765{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54088-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local389ldap 23542300x8000000000000000839893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:45.905{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D5D6B5C31927C12C697EE24A0D08C80,SHA256=B45FC9D7007CEABDC7C9B9BD84C565349AC2E5A63606F839EBF5B09553595802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:45.793{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA8F9D1FBE741DCF06ADF8B61F8FDE1F,SHA256=DAA1035306AEC9A3861C4E419AD1D61540EC328CBBEC94C35FB8BECED97B2497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:45.483{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B31F9FBFBCCB38F4753C864B7F404A9,SHA256=10177844DE499E190F735211249FB99A93C679C322CF40E050879101F63134F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:46.991{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57E75A9A3E02AD4EAC820E23860A8745,SHA256=5492EC3F3B648BB5181DAC244DF0E672FED935245B6DC98670418BE10871EFA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:46.860{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3149A0176ACE4EA01CBF27D397AEF159,SHA256=DA92E9D7B7D6AE83A2DB0C80A6CC0C8104FE05B1B7FA607FE82F876357053F77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:46.224{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:46.224{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:46.224{E56ECBBF-146E-6387-0B00-000000009902}6441464C:\Windows\system32\lsass.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:46.208{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1E00-000000009902}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000393330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:47.956{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=876B784DE62EC71A18C838879B75C5C2,SHA256=921E430FAC7F86869B1DA6508E44D6343897FEFF31F2182573E7A669606516D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:44.971{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50486-false10.0.1.12-8000- 23542300x8000000000000000839902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:48.106{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B46914D3DD0F2BFAC4930642A5BEEB2,SHA256=B8E102455758DE5FC98D84FB4AE7C3D2649BF6C75F43945D23D180515B053CBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000839901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:45.553{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54091-false10.0.1.12-8000- 23542300x8000000000000000839903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:49.091{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCD768C15967A865ACC358E0CEC06ACA,SHA256=42E64DF4E22316785C005D39FDDAC2EDACF424C12D374A6F26ECDCA435902CFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.880{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23F5-6387-7102-000000009902}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.880{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.880{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.880{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.880{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.880{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.880{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.880{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.880{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.880{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.880{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-23F5-6387-7102-000000009902}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.880{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23F5-6387-7102-000000009902}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.881{E56ECBBF-23F5-6387-7102-000000009902}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.677{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:49.029{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80EF6E29BD30EB4A95E6CB3F37E5AF6E,SHA256=4AB02FD6E1E7FFED1E0DF214257622B4E94ABFC179FA2300FCA89FF564C4FB7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.963{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E5CDEF255320B97DE632FE7CD506697,SHA256=BB81A5E0F05BB5604AD3B724DA13795F538DC8B92F10927B87B4E48663C33F03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.541{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23F6-6387-7202-000000009902}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.541{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.541{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.541{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.541{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.541{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.541{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.541{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.541{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.541{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.541{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-23F6-6387-7202-000000009902}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.541{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23F6-6387-7202-000000009902}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.542{E56ECBBF-23F6-6387-7202-000000009902}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.119{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCD76D3527E8DA107D13DAEB6007B57F,SHA256=512A846FB969AD19689A784FC23E5A6E07131C677160FA37CD63DF319BB800F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.088{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5654D375F7CCE2D08DEEB425E24660B0,SHA256=27480A95317F787E17300DE3935B9A65AA56BF66F659E7F86883F6F1DB4BC1F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.049{E56ECBBF-23F5-6387-7102-000000009902}29523432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000839904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:50.182{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1E90B89E7C2CEE7517AD006A85413C,SHA256=2A8438550D3C72C5FC8EF924E69AE20B5E549BA863DDF6BAE31E89CDF6BF0A5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.023{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-23F5-6387-7102-000000009902}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.023{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-23F5-6387-7102-000000009902}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.023{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-23F5-6387-7102-000000009902}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.407{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23F7-6387-7302-000000009902}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.407{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.407{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.407{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.407{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.407{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.407{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.407{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.407{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.407{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.407{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-23F7-6387-7302-000000009902}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.407{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23F7-6387-7302-000000009902}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.409{E56ECBBF-23F7-6387-7302-000000009902}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000393367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:48.416{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50487-false10.0.1.12-8089- 23542300x8000000000000000393366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:51.117{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62F7F3646849ABCBE62E9BD7F03EE631,SHA256=41636C1FDD7C4E86502E00F9EBE4FA6382D00EE680B85B6EF64286AC9E1A870E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:51.269{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A104436AE3DE8CE0C24606DECADFA37,SHA256=300AEDF9CBE2C2421ADA04B2B1A69CD4B885B07633EFCBD4C7B4AF7392AF0E74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:52.261{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=42906FF847581E116D577246463053F7,SHA256=440CBA2FE43D7F7D95FEAB4AC95BC37AA6DBC8F9E26917F6BBEB9AE820A81CD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:52.183{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D685CF4B28525F01B9F1C7A50409498,SHA256=4FA8F0D51C5F7B1C6460D5F28A3E6CB93F26440AB901095EB75EEBF215DEAF7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:52.899{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:52.361{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D292A6765C39923F2B6F6B738556B7F,SHA256=AC25D6BB083A24BD76D6D2A72DB116B540E7F36121A8E9389F698FD9454859C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.854{E56ECBBF-23F9-6387-7402-000000009902}39442512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.682{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23F9-6387-7402-000000009902}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.682{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.682{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.682{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.682{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.682{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.682{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.682{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.682{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.682{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.682{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-23F9-6387-7402-000000009902}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.682{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23F9-6387-7402-000000009902}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.683{E56ECBBF-23F9-6387-7402-000000009902}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000393384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:50.906{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50488-false10.0.1.12-8000- 23542300x8000000000000000393383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:53.260{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A34654F408595ADC3E0D409F3DD9401,SHA256=1A39A10188F110CCA7096A23CEE55E6F29F5804D770E46B68C3BCA5937E1B7E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:53.446{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=969D752F92A07381157019EDBD3C4266,SHA256=15D4556EDF9D0C514141C1CC3F3770DEFA40F4D10A82EAC0BF937016D010D273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:54.525{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C18631C7F954A1EE0FAE4F0A17FC389,SHA256=91235E7B6B37CA97A18258C9E7559BE020FC82B326EAC99774F59C34BD897773,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.916{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23FA-6387-7602-000000009902}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.916{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.916{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.916{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.916{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.916{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.916{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.916{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.916{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.916{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.916{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-23FA-6387-7602-000000009902}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.916{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23FA-6387-7602-000000009902}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.917{E56ECBBF-23FA-6387-7602-000000009902}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000393413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.541{E56ECBBF-23FA-6387-7502-000000009902}24003172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000393412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.369{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D2FF1425F3E425682206C1314EBE2C1,SHA256=E7D679266CFEFB62D0D67300193D587E2996CA3F00E6EF251C1205B499437465,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.353{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23FA-6387-7502-000000009902}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.353{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.353{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.353{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.353{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.353{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.353{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.353{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.353{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.353{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.353{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-23FA-6387-7502-000000009902}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.353{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23FA-6387-7502-000000009902}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:54.354{E56ECBBF-23FA-6387-7502-000000009902}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000839910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:52.331{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54093-false10.0.1.12-8089- 354300x8000000000000000839909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:51.556{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54092-false10.0.1.12-8000- 23542300x8000000000000000393431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:55.525{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA1E1A33D47F407A729254E3EEEB4C88,SHA256=C85ADF19116B6FBA2CAFCEDEC114A312F963B0A08BFC0495CA2951F33B18D567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:55.602{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAAB76176D1194FB492BC55EFF4BF202,SHA256=4A43123DD6DC1CF5F029B4CB81AB46FE02BCCFA23159D13050FF66AD91508E68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:55.181{E56ECBBF-23FA-6387-7602-000000009902}16243340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:55.160{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-23FA-6387-7602-000000009902}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:55.160{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-23FA-6387-7602-000000009902}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:55.160{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-23FA-6387-7602-000000009902}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 23542300x8000000000000000393449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.635{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE939D8E50DF77F1480B61670A96AA5,SHA256=AE7AB00DE5CD118F90B04D26801696F3A205C4767C32AB65A4EF8A338C2C4B97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:56.700{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0E5EFEDC0DDA3CB1C6B9F961F404AF0,SHA256=EFE6B8499E7BD1FFB37D827F49751F22663B7746953582FB62600D03D47C38A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.129{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-23FC-6387-7702-000000009902}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.129{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-23FC-6387-7702-000000009902}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 10341000x8000000000000000393446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.129{E56ECBBF-146F-6387-1E00-000000009902}20202816C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-23FC-6387-7702-000000009902}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012839A50) 23542300x8000000000000000393445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.103{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14E6FB20FE93A2EC0235584278C1D8DD,SHA256=DE6FE3C275553F8934E8B406BF0904F38C3E088E2C339697329EB66203017923,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.013{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-23FC-6387-7702-000000009902}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.012{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.011{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.011{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.011{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.011{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.011{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.011{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.010{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.010{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.010{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-23FC-6387-7702-000000009902}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000393433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.010{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-23FC-6387-7702-000000009902}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000393432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:56.010{E56ECBBF-23FC-6387-7702-000000009902}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000839913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:56.229{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F260A74817FEA5AE7E6D85E560E902C2,SHA256=8E6295263A9F25F56E7CBDD02606ADABC315CE17E662B5D64556F0C91A87AA45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:57.718{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C92AD84B09DD5D0E26CF9BB566CC5788,SHA256=5769B4DCB326B1D3583A59DBEF169B8E3E84C60C3AE7A081EF9BB59835CB7FDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:57.794{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B4E17DFE855DC7291FC1F681360F2F,SHA256=5F3B818024BC9382BB21BCA863A63FED100941E27087D39BBA686B03598F0B55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:58.794{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863333915460704B2F75B271E08AA4DE,SHA256=DD4E82FACFABB66A1AACE4E1A14A0B0715DC9ED5D9085F50669634A85976FC77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000839941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.836{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4011BB96E82F6EAFD3C92B711CC2DD23,SHA256=CA254A3D0118F7C48497624D9B6D223F79C0824D840917E3635B85D36D94014E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:35:55.941{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50489-false10.0.1.12-8000- 10341000x8000000000000000839940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.413{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.409{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.402{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.400{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.391{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.388{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.386{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.377{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.367{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.353{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.348{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.346{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.306{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.299{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.278{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.271{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.255{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.232{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000839922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:35:58.222{8A63456F-147F-6387-31