23542300x8000000000000000391905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:21.883{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519662C150CF23C04FC62D8B9399F9DE,SHA256=AD0951BB768FE9B5561F69BCCE6C4C9380CF0A0B7DE99ABA059E72EEA2287F46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:21.868{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8400C541B577B9053F137345121F87D0,SHA256=B15D16AD2216239374A776B3893C1A29427C60D72296E5FC8375AD8596D21934,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000838281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:30:21.854{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\1DB41A76-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_1DB41A76-0000-0000-0000-100000000000.XML 13241300x8000000000000000838280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:30:21.854{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\DC7B3D7A-FCBD-4A1A-80F7-E8A0928D4E77\Config SourceDWORD (0x00000001) 13241300x8000000000000000838279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-SetValue2022-11-30 09:30:21.854{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\DC7B3D7A-FCBD-4A1A-80F7-E8A0928D4E77\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_DC7B3D7A-FCBD-4A1A-80F7-E8A0928D4E77.XML 10341000x8000000000000000838278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.839{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.839{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.436{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 10341000x8000000000000000838275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.434{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 10341000x8000000000000000838274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.431{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 10341000x8000000000000000838273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.429{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 10341000x8000000000000000838272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.428{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 10341000x8000000000000000838271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.426{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 10341000x8000000000000000838270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.426{8A63456F-147F-6387-3100-000000009802}29523544C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001398E3D0) 23542300x8000000000000000838269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.221{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DECA1E430C7C200909DEEF84473404D7,SHA256=25C9C1EBC18AA3E1B075ADFB5542B22121CA5A39BD51BEFC62F81265F481443A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:22.973{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE719F07A022A113F4D93E02DC723F9,SHA256=C248B2F5A2626A55249082BDA9F7AF6C28E8E4735E2A60EF6C6BBED0F7DC36DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.690{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.690{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.690{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000838283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.343{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\respondent-20221130082953-058MD5=683651717EC8DAC081C38E211BC7EBA2,SHA256=5740F9BFEDA541BBB683F557CBD7668BC17497F3A3A4C7CEA871290E93407AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.292{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB521CE2BCE422D0FE24E3A7EBFC25ED,SHA256=6C67AEF2EEB07CCE5A7D27F3D3FC5E893ED2808E5DDA0EA3B87AC9F570F6E757,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000391906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:20.022{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50423-false10.0.1.12-8000- 23542300x8000000000000000838296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:23.738{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61C7B1B976171869DCCBD51A194116D8,SHA256=AD4A441D323A5B54C2E99CA8E695871861B44D8699C53B0E45DC84ABA0F8ECB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:23.707{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:23.707{8A63456F-146E-6387-0B00-000000009802}644360C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000838293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.282{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54010-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local135epmap 354300x8000000000000000838292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.282{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54010-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local135epmap 10341000x8000000000000000838291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:23.542{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:23.542{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:23.542{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000838288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:23.386{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6729F8C48348F5DFFB489A102EDC5EB5,SHA256=6F0FF7E93C2CDA32F7FE7895A5595BE530532E20697AB2AB86B7A44C9DF9FB7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:23.347{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\surveyor-20221130082951-059MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000391936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.706{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.699{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.696{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.694{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.693{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.690{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.689{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.687{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.684{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.679{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.677{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.673{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.670{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.658{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.649{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.646{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.625{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.616{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.600{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.585{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.572{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.525{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.516{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.509{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.499{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.490{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.480{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.471{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000391908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:23.468{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 354300x8000000000000000838301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.131{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54011-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.131{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54011-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.302{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:88c1:e4d5:88aa:ffff-53831-truee000:fc:47c7:6689:5d3:4ebe:ff48:8b05-5355llmnr 354300x8000000000000000838298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:21.302{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local53831-trueff02:0:0:0:0:0:1:3-5355llmnr 23542300x8000000000000000838297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:24.486{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B24DBABE2BC69E2E5583E200B9C8762,SHA256=A7FB0FB4C7577E5F844BFCC58F81C748E93F6EF058EA65F3400F57E7D79D4BCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:24.234{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AD5DA8703584F422CBC08073BB11CAD,SHA256=3E51B6FA853B93DEA59132CDF63E72B0540A52832211CEF797FB04EC098F42B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.984{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54012-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:22.984{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54012-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 23542300x8000000000000000838302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:25.582{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D50CE8A2F6C058AA8DE5DDA41910059,SHA256=08D092F21D1A56E238AF52DCBDA067F5A6346D0EECF7A74B40A703D4A6210A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:25.357{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72CAECCE6065A147055881EC02E0848,SHA256=F3EE3F53830DF6FF3871816C03FAE21D7CCD58943808FEA2409DC838101755DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:24.572{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54013-false10.0.1.12-8000- 23542300x8000000000000000838305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:26.680{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB00AA6F326984116E6D2E368A1894EE,SHA256=6AE5788C2EC42DC974213C726A76F3746994FD6EDEA7116748EF09914E358EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:26.448{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9380957F660C2156B598FD5B2EAC6EA4,SHA256=37DF63FEB9000B42BD6693F6605F8E2B422928FB14B7ECF3F933356345CA2BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:27.768{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D965E96E597FF67CDBF0F28E567B44,SHA256=630A9B2AC2B4926B4C609EB74ED3088BFE9E954E70B6088FDC5793CA2268CDE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:27.536{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE7BBA0432B3F0C032684C6DCF3E557,SHA256=D92A257E64A1E7783A58EBFAD2ADDDD1CD8C24BD0817CB5A9276291CE3272A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:28.847{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B91C76DC2F64DB3D3A34FA25789A554,SHA256=86E9C25F48D3212B5CF27256D23CAE67BFB02D1F41376EB3D258DEC3400F8893,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000391942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:25.985{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50424-false10.0.1.12-8000- 23542300x8000000000000000391941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:28.613{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85412830E4F5D1760007F43FE1110030,SHA256=913C47D1FF859632D1327B889FF0AE8866EA912E53D380A41CDF180BD241F411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:29.938{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=255C1FD6F5B5D84E9150347EE1CD541B,SHA256=4F1A0A42D2F5E806F146C34522EC584CE83905A19C8EC5B00905A34EC5BD1E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:29.719{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54CB6C71FBCA7342B20AA4CBC8A2B83C,SHA256=6D70B7B03A109D2156A29F2E11F4A6F84A2A2D9E35253DE532E125112F74E963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:30.806{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB163F062F7AF9DEA5D06C82DA054AA9,SHA256=420B6327A1BCB9D6637F15003BF5C217620DE9D000707FB83E71E736FC42469A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:31.883{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6CF6ABDFA2CA0AF3FDD507B3F411C75,SHA256=B3673E45A255FFB2D096430B140889C06CD79FACC0815D006F890CA5BFF24B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:31.028{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013ACBEFAD1FE84E04F977904635E58C,SHA256=1C3CB8B486CAB4B8E20FAD839C71101CA8DD4EF3B7C83D005212509E7B781563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:32.970{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D53E82101386AEBAABACC9238A6CAB78,SHA256=710B6824877A2D8B17472ED5C45997326D4820AEC2E2C2087107097FF2D02502,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:30.590{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54014-false10.0.1.12-8000- 23542300x8000000000000000838311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:32.110{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A8E269DCF7872B276436877C9CE987,SHA256=7EA5C21F9B0D3B8B7423BE490A13C24872227A3D586A5E353B0CE3F7C9C82A3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:33.207{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC8D8FC1A3F2D73A278DD23722830AD9,SHA256=D810B59A9BC3F33B48B86461CF8078985AD950534A8CDF63A81DC6B595409EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:34.285{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F39A72A90295C014B3C22BF2E6623E0,SHA256=B8599E20DFED3B5EC794959CA065F503D8AB61497FC2B8BC5EC8278894DCCE7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000391948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:31.962{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50425-false10.0.1.12-8000- 23542300x8000000000000000391947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:34.055{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0526EC0253AE569E98629B368FACD3E1,SHA256=18406CA066AFB47A0275A7E83810EF18DA8D3E7C32395D9277C9C640150FFD5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:35.360{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B433663C5A53AE919FD13CE078CF9AFD,SHA256=3559EBA50E2C4B9DEF9125D6041BF271E078F38351C9C77E4E4772EDBDA79628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:35.144{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F7E800DBB2F9300D5A4003172180E1,SHA256=79C2635BD2E79AB7958D5703D373DE4FF9F024CA1F5E654FD5B6CEE308AB43E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:36.649{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=87E984236A039FC240CC432B99CBB9D4,SHA256=28C1FAA966F9C401317122F36CD57F015A73ACFF5C01475109200FD44A4A9715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:36.450{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F881AFBDC1555870EB125A8CEDA63A7E,SHA256=AF8F829D3C6D5713CCA6A36D83E00D2BB880667E474760A7369E66BE8DEB6430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:36.217{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C087E8A83601C185A966413A24BDAE,SHA256=EE452567515998C8F87A17019CE9285B9190471A7C998FB3EBF9423C7141E279,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:35.673{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54015-false10.0.1.12-8000- 23542300x8000000000000000838318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:37.538{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80CA8B3C1D8CA6D27FF7376E6F9E62E8,SHA256=03C2B89B195262B101497101D551FCA4A622DE90C3BA7E149FAA6907E98DA01D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:37.306{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308F1D7F311C5082EB23F3905AD806B4,SHA256=BA546E6009671BDB7247689DB7BFB037C37AE934980B374AD1A0D0F799114155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:37.118{E56ECBBF-146F-6387-1300-000000009902}304NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=40E34E61500C14681CE07CFEF055AD1C,SHA256=8D0CD9D9FC15FA59D7E6CA343EA94081228156884E4AEBB6C291AAAB816CE9C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:38.390{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB5069998619C45FFC11C177F778287,SHA256=4C70AF9052988C66FC6177F97EE607C4EBCCB9CE619EDADCBFC491A1557466C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.333{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.328{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.319{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.317{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000838341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.304{8A63456F-1471-6387-1000-000000009802}708NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=66FBE1CEEA473AB454273827E5077124,SHA256=A7AD0BAFEADC8C9D4F58F9F08F89912776FD159C27D361BD3E4260799D7EE31D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.282{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.278{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.273{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.255{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.239{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.233{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.231{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.225{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.195{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.182{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.156{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.142{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.137{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.125{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.118{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.111{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.103{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.097{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.090{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.049{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:38.046{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000391954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:39.486{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB49D182E5DA517388190A97128BECF2,SHA256=40D5008BE58C27B2E4EF93F6E511E1518C71F653EF5633FD743741C1094929C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:39.141{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000838346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:39.039{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96A10A59EDF180DF1171004DED5EBE4,SHA256=F1AC1F4633F012F73FEB68E32B31E7A056513E5C2D0F292423FB6751BC6AF4B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:40.588{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E1D3E5E79A8119746C4DE510B2E526,SHA256=42DAB8517C787829DFF2F305EAC7EA7D8D687E64649DAFC171A3513ACE5D8E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:40.177{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2132A0244E5163DCCF69C725E532021B,SHA256=101CB3F75BBB0CA60AFA88306EC8FB85DFB2C7F556A5F7127A72A397B9D16AE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:41.655{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05431E102CA883482FBE220D98275292,SHA256=80B6ED93B1CEF067A1166610B2C6FCD0E4E2DCFF9DE3B2490D8E4AA39A34DD62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.717{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.714{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.711{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.708{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.707{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.703{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.702{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000838351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.255{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF5276D3F3BD0622EC7C0E22FF4E8AE,SHA256=0AE2ECDCBB2C9594645C0BBCC49456ACEAA206DB049013516444DF7983A36197,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.183{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.181{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 354300x8000000000000000391956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:37.841{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50426-false10.0.1.12-8000- 23542300x8000000000000000391958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:42.738{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91A055C30FB6E210298A14E56F7C5BD9,SHA256=FDAA12CCB19C83D4DB4C1862C53FD95CDE682E6DF5385F52730DB7606E8C22A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:42.250{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE8826EE53AED1F89D01B07C9BDA1AB,SHA256=8E1920C02850435945BEE5ADE18C9CAFBAFE43C9A0C2B5753D449D8636AE2A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.987{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083BEAA96A5A98CC3232CDE3DD763E41,SHA256=FC9715A448D6AE387B7BF8D3217C44F6668F671F571547A6F69415A4AB25D0A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:41.629{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54016-false10.0.1.12-8000- 23542300x8000000000000000838360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.333{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95695E140D815FA38D318975EDB76CCD,SHA256=7171A55E6B667D2278783942B388DF29AC8E3D3E2423EDBF360B2D4C8DD46DE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000391987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.706{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.700{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.697{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.693{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.692{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.689{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.688{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.686{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.683{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.678{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.675{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.670{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.663{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.652{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.630{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.628{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.600{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.579{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.570{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.560{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.550{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.520{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.512{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.502{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.489{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.485{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.481{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.473{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000391959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:43.471{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 23542300x8000000000000000838384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.434{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E88FA703435A3F5B7FEB7ACAAF25C628,SHA256=774B838BB4BF013D8208574C88BA10641C14D54D490FBF9A335BBC31F584547E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.309{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.309{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.309{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.294{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-146C-6387-0100-000000009802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97cd2|C:\Windows\system32\kerberos.DLL+79ec8|C:\Windows\system32\kerberos.DLL+1453f|C:\Windows\system32\lsasrv.dll+2fbf1|C:\Windows\system32\lsasrv.dll+2dad6|C:\Windows\system32\lsasrv.dll+33369|C:\Windows\system32\lsasrv.dll+30cb7|C:\Windows\system32\lsasrv.dll+2fbf1|C:\Windows\system32\lsasrv.dll+17b1d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000838379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.294{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.216{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.200{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.200{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.200{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:44.184{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000838396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:45.521{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D67315625865376602D4C5BD07DA201C,SHA256=6F47F7A0F996D97E84184660C5028EB8A9B6EFB63E916CA89CC9FE1112C87225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:45.005{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0083040CDFE6538BDCD378EB822D289F,SHA256=3AE0508B6B5CE7E3CF61AA7722925E8391B58867A64F136EECCB83459382DA20,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.742{8A63456F-146C-6387-0100-000000009802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54021-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local445microsoft-ds 354300x8000000000000000838394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.742{8A63456F-146C-6387-0100-000000009802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54021-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local445microsoft-ds 354300x8000000000000000838393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.662{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54020-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.662{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54020-false10.0.1.14win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.637{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54019-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local49666- 354300x8000000000000000838390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.637{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54019-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local49666- 354300x8000000000000000838389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.637{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54018-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.635{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54018-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.634{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54017-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local135epmap 354300x8000000000000000838386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:43.633{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local54017-truefe80:0:0:0:4d3a:4d24:544a:a8cfwin-dc-ctus-attack-range-478.attackrange.local135epmap 23542300x8000000000000000838385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:45.287{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34BF5FDE9DFAACA416AC79B71D5FFB05,SHA256=1A58B3F7D7908229B0A1627CDF24AB79AC531191B4C43C4114F8E2D04CB9BC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:46.617{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE114D6018FD436046CF7136E1B7AB71,SHA256=5CACAF8753B0DDDCA283C6FFE6753F0379767A1028D2BC6DB501536DFF10A1B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000391992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:42.931{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50427-false10.0.1.12-8000- 10341000x8000000000000000391991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:46.205{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1E00-000000009902}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000391990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:46.084{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BC2F12CBF792A7A6C63DA873A1ECDA,SHA256=49DB6F7648C896570DCB68BBB89079334D9DAE48C023C59ED70CDA0F9B9DC260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:47.698{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07333219C381A15A0488FB58A4122442,SHA256=9AAE301DF123C346D5B1E71F966FABAF063D15752A5CA0571B6FDB25A4C48F7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:47.161{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E49419323031BF6A1ADD1E75277F197,SHA256=B6311DE3C52FEC6F4FA14B3F343FF5D5277B9447B43C759CEC7B8598F190C318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:48.787{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEDF05720EE9A202419DF7F2052FC986,SHA256=9F656A4F8D9AFEE63A34254AC255170B05698C7B00B83D3C01FEA3FBC4293B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:48.249{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA86BD98F2DFC0CC20DBA421CE4DD386,SHA256=63D6F51F194F82BB0141CC651D9ADB4E7143857908DB25D483FAF8902C7A2021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:49.875{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E8152579A9E183EC2E84D0C7D5D288,SHA256=3184DA3E8561831A7D2DE0E6606E09A0B8873194A9626E80949A86AB92ED30C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-22C9-6387-4E02-000000009902}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000391999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-22C9-6387-4E02-000000009902}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000391998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.877{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-22C9-6387-4E02-000000009902}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000391997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.878{E56ECBBF-22C9-6387-4E02-000000009902}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000391996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.550{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000391995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:49.331{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07FB4A09189DB8087083802E543F335C,SHA256=7F8F230FE42BFF03077A7CECF1872CF2B9DE8114CBF95859150A25BFF6B6A13E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:50.983{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB11C9FE7E6C7C1457A22219E1CA8CD1,SHA256=6BDCD8D4A42A10758BCFAAB9A704527848061560BA1451EDF9706704E6C19E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.947{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=857EDAF42BF8BEDD680F433D93D11F90,SHA256=296B42CD9875EE9FCDCE24C08BB7C472BC4157CB87F0D52A14D2C9C4EC94AD8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.838{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9A4D4B02A053A56C189F698B90FB768B,SHA256=B0466856A160F9B1924BDD42D91DA842E491C909CE576ED836453432578E3694,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-22CA-6387-4F02-000000009902}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-22CA-6387-4F02-000000009902}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.561{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-22CA-6387-4F02-000000009902}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.562{E56ECBBF-22CA-6387-4F02-000000009902}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.421{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B45C1AA13BAD97DBE3E667FE836179C,SHA256=89DF82D25A2E4B73A46BF2B9CED0B138F90314EC810E3A98B3D740C19230C3A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:47.577{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54022-false10.0.1.12-8000- 10341000x8000000000000000392010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:50.061{E56ECBBF-22C9-6387-4E02-000000009902}14563216C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000392042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.516{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290AC063A9BED51DDC86556330CE2AF2,SHA256=C546539AC8EC6396ADFFE339C019E04ADAD57BD930E6FB2D5E4E5D96EE227668,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-22CB-6387-5002-000000009902}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146E-6387-0500-000000009902}416544C:\Windows\system32\csrss.exe{E56ECBBF-22CB-6387-5002-000000009902}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-22CB-6387-5002-000000009902}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:51.470{E56ECBBF-22CB-6387-5002-000000009902}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000838403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:51.173{8A63456F-146E-6387-0B00-000000009802}644772C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000392028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:48.822{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50429-false10.0.1.12-8000- 354300x8000000000000000392027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:48.295{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50428-false10.0.1.12-8089- 23542300x8000000000000000392044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:52.502{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D00598FECA5B1B9EDD2DDBDEDB3E83,SHA256=8552DB62A93EF41CC6E1A683B7FBA5DB8ADC958DF64517CC1602B9AB1703CA69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:52.802{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=F02EF2C8DCF9E411B3EB31DE98EAC14E,SHA256=4855A82B891741F61599D27BE7C362FDC9F67EDAB96C31F2173826199C7FE894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:52.071{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833C3334E6CBEA9240FC0215B91EDBE7,SHA256=CFE340A6C36B674129947FCBE1EB1DA24FBB909C673968B5B85BE160AC97F975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:52.080{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C88EE9D4BAA9B86563764D77A55DF4B5,SHA256=62849C813B27E7B2DF4111E46A364CB549AF0D68E44AE282EDB1A06B09D799C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.938{E56ECBBF-22CD-6387-5102-000000009902}2792212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.756{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-22CD-6387-5102-000000009902}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.754{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.754{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.754{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.754{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.754{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.754{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.753{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.753{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.753{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.753{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-22CD-6387-5102-000000009902}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.753{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-22CD-6387-5102-000000009902}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.752{E56ECBBF-22CD-6387-5102-000000009902}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.595{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C7D5B2BD424E1C734ACB63C3EA25A0,SHA256=FD4AE0ABA66F0CCEF4FEBE3E65B15E9C0564E87EBB78CF16CD4CC813F61A8FA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:53.167{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4635BAAA6ACBF4DCECCB3C19360646CD,SHA256=9805BE6576FB0A4278065E4DC4EFE3281A4C51C3D38EBED82CAA2316329CC372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.731{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3BEA235D480D57A7C11982D126B9BEB,SHA256=DF9E1AFD837B8451DAC67703D4968198690AB7417C83211F309F1EC0FA536D21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:54.239{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18CAC6A2B61714F31F78C913C959E2D1,SHA256=ABC3A412D9C142F1B23C02694CEC3A2D614C07F859DBD3883F391D0B029E56D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.590{E56ECBBF-22CE-6387-5202-000000009902}33323404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-22CE-6387-5202-000000009902}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-22CE-6387-5202-000000009902}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.434{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-22CE-6387-5202-000000009902}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:54.435{E56ECBBF-22CE-6387-5202-000000009902}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000838407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:52.229{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54023-false10.0.1.12-8089- 10341000x8000000000000000392099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.998{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.998{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.998{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.998{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.998{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.998{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.997{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.997{E56ECBBF-146E-6387-0500-000000009902}416432C:\Windows\system32\csrss.exe{E56ECBBF-22CF-6387-5402-000000009902}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.997{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-22CF-6387-5402-000000009902}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.997{E56ECBBF-22CF-6387-5402-000000009902}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.798{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FFE801B7A56F6F2DD86A1EAC0423B1C,SHA256=D05845913C5E89E5D273787E654297BF654A5F12CA7D52D5F9ED74771085A6B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:55.328{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D77ED94320E2A32E87D124D445CA64,SHA256=3E5A9ACCE1370DBD7F2218F9CA90E3CD0C73AF492E8740BD5549E4EC986C4F90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.270{E56ECBBF-22CF-6387-5302-000000009902}1256620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-22CF-6387-5302-000000009902}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146E-6387-0500-000000009902}416968C:\Windows\system32\csrss.exe{E56ECBBF-22CF-6387-5302-000000009902}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000392076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.114{E56ECBBF-146F-6387-2100-000000009902}15003740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E56ECBBF-22CF-6387-5302-000000009902}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000392075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.115{E56ECBBF-22CF-6387-5302-000000009902}1256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E56ECBBF-146E-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000838409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:52.635{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54024-false10.0.1.12-8000- 23542300x8000000000000000392105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:56.886{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62118E05C1DF13461C42108F53A91166,SHA256=769D55457B63C6B4B28231F754F48A35A1755BC3CC73905448582545770FAF64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:56.410{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07403BEB5482EB12A9BF505B58EF3298,SHA256=8B96C0029E8A7B71E639433FB7E5807044BE2D26EDA8B0E0346B0E37054BA58A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:56.379{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACE1241B2B9FB679D638211F825876BC,SHA256=D505DED6385A3905972923CE11E8B5A1B426C9135828E7263BDB80BCB77C4731,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:53.890{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50430-false10.0.1.12-8000- 23542300x8000000000000000392103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:56.173{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F2057F9BAFE9A97BC5927AA7DC27BF1,SHA256=E4322FDA6D8ADF94ADAE9CB87CC14E9248980712D5D8AA454A9FD2D06F344869,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:56.000{E56ECBBF-1471-6387-2B00-000000009902}28922912C:\Windows\system32\conhost.exe{E56ECBBF-22CF-6387-5402-000000009902}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.998{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:55.998{E56ECBBF-146F-6387-0C00-000000009902}748668C:\Windows\system32\svchost.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000392106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:57.966{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166FE241BED10DBEB0CCC0DF8778C06D,SHA256=7CC6F8331480D434D90738F2ABE316D5E0B7E6EAD1BDA91BE6F61A1ADDFA4A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:57.510{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50C188B03AD88E4580A5CA891D0789F4,SHA256=C47314A01F4F4ACA92FF6DDE9246CE9CF8206E776949E7B1CD38444DC1BCDBAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.787{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000838439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.587{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DFB76625094401AE016FD5B3700A746,SHA256=596EF5D44C8C936E625ADE39D8A8BE1BA0BF41E9F44D2DDAFF6AD8F764119AF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.375{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.372{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.354{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.352{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.328{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.325{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.323{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.309{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.297{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.287{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.285{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.275{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.222{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.210{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.194{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.185{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.179{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.171{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.162{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.155{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.144{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.136{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.129{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.073{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:58.062{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000838441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:59.663{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A21FFDCAAFD2E5CA902DC946747D9F,SHA256=A6A353E63867CA638DFBA5A1DFAFF491266F970BB267350C4C0835C758F6D78E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:59.048{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAAC2A2D728A44E0D0B38EFC22963AC0,SHA256=7CC8265CA788F1E5FE5DB0126F1718FB92C012BB73F07511485FFB50B8E2F9F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:00.825{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:00.823{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000838443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:00.745{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=652C3E937D0520475B8DB3EE82654EB5,SHA256=48F63431F35082AFBCCE26290705A569FD53C01ACDADDE5BE4F5A639BCA6B739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:00.131{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE44B7FCEAD6AEA9142D752D71E70426,SHA256=32E5D410271F5356E5CBC95C2A19A636F432C66D55CDE9C7A7D540E89B35959C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:30:57.637{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54025-false10.0.1.12-8000- 10341000x8000000000000000838457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.865{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.865{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.864{8A63456F-146E-6387-0B00-000000009802}644696C:\Windows\system32\lsass.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.847{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-3100-000000009802}2952C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000838453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.831{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8E6E5388A24D126E0D4638E63C2700,SHA256=2DFC15C03C61F83DF3EB17843CC710B50115E2E98226AFCEA85BEE6096E681E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:01.206{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE1917C71BCD37787826274446E4E6A2,SHA256=300B34EBE5B3B6F54BB290375DAFE31A1A23326E61F1D8273573B2247967328C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.353{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.348{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.345{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.342{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.341{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.338{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 10341000x8000000000000000838446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:01.337{8A63456F-147F-6387-3100-000000009802}29523528C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480A90) 23542300x8000000000000000838459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:02.913{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F716BF95FC8B9EDBDED8B4FA766BF033,SHA256=150B696E65C75B5B231D2466E8E9BCB7B5B67204137AFB9DEEEC74D378C9453E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:02.850{8A63456F-1471-6387-0D00-000000009802}9082236C:\Windows\system32\svchost.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000392111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:30:59.798{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50431-false10.0.1.12-8000- 23542300x8000000000000000392110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:02.296{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B339B9354EF36F3404773EE0089ADF,SHA256=92EFCC93D183EAF6A5E940C1BA3FD69E76E14C02AA6FEE0C75784377913C22F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:03.882{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B7A043CE11A068D12770133BD10FA5,SHA256=305BB02744BAACB406E2062368397B80B9764AEF45B642EB38286A03BE1B6BAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.693{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.691{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.689{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.686{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.685{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.682{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.681{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.680{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.677{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.674{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.673{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.666{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.663{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.657{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.649{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.647{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1700-000000009902}1232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.635{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1600-000000009902}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.629{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1500-000000009902}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.619{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1400-000000009902}1076C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.613{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1300-000000009902}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.605{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1200-000000009902}288C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.570{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1000-000000009902}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.555{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1100-000000009902}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.544{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0F00-000000009902}916C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.530{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0E00-000000009902}908C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.512{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0D00-000000009902}800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.499{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-0C00-000000009902}748C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.486{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000392113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.480{E56ECBBF-146F-6387-1E00-000000009902}20202080C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146E-6387-0900-000000009902}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 23542300x8000000000000000392112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:03.386{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E9FC48E09BCDCA9CF312DA143194BC,SHA256=367263345596D373F184F4EAC45153224365267E8D8118CBB142AFDE67837CD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:04.958{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A57436D3EA5C1697B1892EE6C63B20E8,SHA256=E41BC03A269D682D12B7FE273209001C74864D5612FF9A5029FD283676AC2F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:04.830{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5968AB9213E71DA284BEF28AD52030A9,SHA256=A2F8F24D747F0767C0B734F66FEBE8DADF758C2DA02F879C6C762A3C9DA982D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:05.903{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C1E07C71DE47B3D1383D07A7E5CA80,SHA256=85613F914805FD0439C93491F84E70D2CFED8B2E3F0986E58F2801489129954F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-22D9-6387-5402-000000009802}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-22D9-6387-5402-000000009802}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.809{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-22D9-6387-5402-000000009802}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.810{8A63456F-22D9-6387-5402-000000009802}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.342{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=567EF1BE79BF0A990DB99786A8D61E46,SHA256=D8F4556406DAE59AA41B66915DA2C8EB2440CB5D4DEF4F0129DB889665B6DA04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.311{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-22D9-6387-5302-000000009802}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000838477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.311{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-22D9-6387-5302-000000009802}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 10341000x8000000000000000838476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.311{8A63456F-147F-6387-3100-000000009802}29523576C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-22D9-6387-5302-000000009802}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00850) 354300x8000000000000000838475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:03.543{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54026-false10.0.1.12-8000- 10341000x8000000000000000838474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-22D9-6387-5302-000000009802}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-22D9-6387-5302-000000009802}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.145{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-22D9-6387-5302-000000009802}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.147{8A63456F-22D9-6387-5302-000000009802}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:06.994{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1868DC2EFEBEE335CA3F326A1BBFE2C6,SHA256=0CF656EA74FC86A969CAB3BFFB9C78F7CCAE76C02879EFEDA591478CC284F3AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.932{8A63456F-147F-6387-2D00-000000009802}2788NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1EAC6CB3D9E0C50E8205C4FE5DFADA27,SHA256=678318F55D32CC978B698FAB283B4096BB85E054FD957BD0C8B0AE73A1642C7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.503{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E01F25C0DFC20EA7D4E0291AC36AD14,SHA256=E58BE14522268CD0CD293B6495B3ACB9BDECE649C1633FC6D38A3B7DA84B625F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.503{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED8858D0C3A23F0ED48912DD4E908818,SHA256=050282860F200790DA338D8AD17B1E16277D41F316A95A56406E7F990CDD80EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.487{8A63456F-22DA-6387-5502-000000009802}42404460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.313{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-22DA-6387-5502-000000009802}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.311{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.310{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-22DA-6387-5502-000000009802}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.310{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-22DA-6387-5502-000000009802}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:06.310{8A63456F-22DA-6387-5502-000000009802}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:07.363{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D1263A2756885FBFD8D863924B53D0,SHA256=A2EE89367AA832ECAEF1E2918163939BEB21F336099E3862E4663071878ECBA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:04.889{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50432-false10.0.1.12-8000- 10341000x8000000000000000838525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.801{8A63456F-22DC-6387-5602-000000009802}43724156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-22DC-6387-5602-000000009802}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-22DC-6387-5602-000000009802}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.539{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-22DC-6387-5602-000000009802}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.540{8A63456F-22DC-6387-5602-000000009802}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:08.435{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C431BFF40BA33316CC67371425CB9A2,SHA256=9D7401B26722AE028C24E8997F1281E0146965139BD5B4B6AADE5FB245C3CB35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:08.335{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7C4B9A1B04C2AFBE542CC66324082F3F,SHA256=D9E6395CC9EF9B21BF14E618953CB2406EA6AF221455C1F872D54AF8939299B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:08.077{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333F9E44F1177B0FAEB593E1A16F670C,SHA256=C8FC0387C7E2DAAE9C8B0A3D99E7BAEE148910161EC90626223AD41D2290234D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.982{8A63456F-22DD-6387-5802-000000009802}46123084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000838555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.903{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE8EC9874CFEF61323BDA954EBA550B6,SHA256=D0920B612904F3F7DCDC691E1AD1A3619379DA3AEB96151F055D967412D5A98E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-22DD-6387-5802-000000009802}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-146E-6387-0500-000000009802}412400C:\Windows\system32\csrss.exe{8A63456F-22DD-6387-5802-000000009802}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-22DD-6387-5802-000000009802}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.732{8A63456F-22DD-6387-5802-000000009802}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:09.488{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\respondent-20221130082938-059MD5=1A32CBE424C0FD56A19B8799D3C64243,SHA256=EA6D997F19314B6150EFB9A20554F04E0A1C60C572E1FF9571FF112B025B3E6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:09.159{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=850AA579533643681B6D90DD9042B3C9,SHA256=00D045F7732B4A22EAD5D98939C26D4E31AFFFB3422A0C5F97A3EA8D0E0132C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.784{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54027-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 354300x8000000000000000838540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:05.784{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54027-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local389ldap 10341000x8000000000000000838539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.316{8A63456F-22DD-6387-5702-000000009802}28284248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-22DD-6387-5702-000000009802}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-22DD-6387-5702-000000009802}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.051{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-22DD-6387-5702-000000009802}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.052{8A63456F-22DD-6387-5702-000000009802}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000838557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:10.849{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE17B0B280EEBC1FE4C73AC03C191AE,SHA256=BE0ABC51E5FFB15B56E613E1A604A9205AA0C2029C29DABF5A8A58597D9BB210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:10.490{E56ECBBF-146F-6387-1C00-000000009902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c8aa6a826f0aef77\channels\health\surveyor-20221130082936-060MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:10.243{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1FAC14D4C6AB5E2ECCFD7E2D6025B2F,SHA256=6C220663F02A718070F1C2038277D49BCD23D5DCE63C5A480575053EDF0D3272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.929{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED276E1AE911D9580DE9D52A19BFFAC,SHA256=1112B9B52713E854C6648D16C58BBB46E23D211477052235B1B99D740F18CD65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1480-6387-3800-000000009802}32923312C:\Windows\system32\conhost.exe{8A63456F-22DF-6387-5902-000000009802}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-1470-6387-0C00-000000009802}852884C:\Windows\system32\svchost.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-146E-6387-0500-000000009802}412428C:\Windows\system32\csrss.exe{8A63456F-22DF-6387-5902-000000009802}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000838560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.866{8A63456F-147F-6387-2D00-000000009802}27883796C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8A63456F-22DF-6387-5902-000000009802}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000838559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:11.867{8A63456F-22DF-6387-5902-000000009802}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8A63456F-146F-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000392152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:11.313{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83EC9336C4C4CC502B9E2443F3D6E9D0,SHA256=FD672E8E0338B26A4D6F91632339F867DEF72078DA4F4FB9A73A482F2D4B02BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:09.580{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54028-false10.0.1.12-8000- 23542300x8000000000000000838573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:12.900{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=762CD888FC8DC724104343E2F9226B7A,SHA256=C68AB2324F05C2F2514417FF391AC79D2FF114358CA5C0D6FF934FE68E23D116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:12.401{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7E304A4459E533132E6B74470F3E62,SHA256=A1644A3DDFF2E5A37D6CFC0F5894595B22E6D747F9D72463C199B4253807D347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:13.976{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56820AC88BD1B0324517531539A9DD8B,SHA256=F87A255778199EBEDF7941D009B6A323F8C265A49E1A24FAAC87B373B279014B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:10.850{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50433-false10.0.1.12-8000- 23542300x8000000000000000392154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:13.485{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A2DE4EC40EEAFB5939A225A94F7C253,SHA256=555FA0CC84D8FEEBB3F2044F39ACF5BBF854491D5F6BAE4950B52B82E409A576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:13.009{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54F6941C4AF22ACA1DAED50D9218DFB,SHA256=8B382EC6FD01F6FEBF019827B535320A6798EF025D57EA95F51687D89459496B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:14.568{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C4689DBDE344A1ECBF055251DD9807,SHA256=D103D1A59CD8BC624638BFCF3BF795CAE435298DD5D63D8D37474C1E856D9CB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:15.641{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BEA496B1BF707759922D158A65EFA0A,SHA256=8809C6C0EA41BB3E57228732C53DCDEB1ADFCA49BF27046724AFBE9793441563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:15.065{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F899B1B983B80A11E4CCCFD56B2B8ED,SHA256=955DBF2727BBBFF83903F32C6B8D846D2B305A6FDC4A1F9C1AA6545492B7AC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:16.717{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148C28DC70373F3F52287E4BF828AF2B,SHA256=4F7E8F37729B9697FD0DA3E5F4991EDA1DB7C7B6369AC0376A58DC215D4DC74E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:16.150{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F370DC605F1918B1A5A09992EE9336,SHA256=A5D64185873CDD07D56372862528411DC12FA591B6BBF551688C28236D640187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:17.805{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9C07C9664D5539F01AF4FF77566471,SHA256=786C89A46761FDC63D7BCB0B5B07E27D587AD732BD137C23219FA9B670E506A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:15.577{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54029-false10.0.1.12-8000- 23542300x8000000000000000838578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:17.241{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A7C07ABD424494A49F49813AA2D233,SHA256=235AEEC486166685516FCF2187D7CA913887CC0B99D43B599128CC7F3BD87F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:18.873{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=858A5EC5DD154A6F759800BDB2FE61D8,SHA256=C8CA1E02DC39BD4567AAE38712CF2458B809F37F714443980FD511F3885721FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.855{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2F00-000000009802}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.325{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 23542300x8000000000000000838604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.322{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B60F5CF9F41A96B27C7FF32752250243,SHA256=079133FDEDA9EEBF2502C3A8FF911DE335C2C80DFF0693C0E9D74BDBC293A9D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.312{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2D00-000000009802}2788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.294{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2C00-000000009802}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.293{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2A00-000000009802}2680C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.244{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2B00-000000009802}2688C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.240{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2900-000000009802}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.236{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2700-000000009802}2612C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.229{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2600-000000009802}2596C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.223{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-2500-000000009802}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.216{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147A-6387-2300-000000009802}2372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.214{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1472-6387-1D00-000000009802}2132C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.212{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1700-000000009802}1420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.186{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1600-000000009802}1280C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.180{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1500-000000009802}1248C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.162{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1400-000000009802}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.156{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1300-000000009802}1056C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.148{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1200-000000009802}776C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.140{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1100-000000009802}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.133{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-1000-000000009802}708C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.125{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0F00-000000009802}376C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.118{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0E00-000000009802}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.109{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1471-6387-0D00-000000009802}908C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.101{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1470-6387-0C00-000000009802}852C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.048{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0B00-000000009802}644C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:18.045{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-146E-6387-0900-000000009802}584C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 23542300x8000000000000000392172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:19.970{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A5D9FA28141AA0305D7802F1167EB1,SHA256=C474426338CF787F2D031F5B6116F3774309C0DDFF16280A45EFE60207EA2DDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:17.902{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local53831- 354300x8000000000000000838609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:17.902{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local63259- 354300x8000000000000000838608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:17.900{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-478.attackrange.local54354- 23542300x8000000000000000838607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:19.260{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0096E9E02FA15D5B5EFAB7D926299463,SHA256=08BE3B3A0E10F8D37DECA6C83A20AF6EE87B55A42C56A6156217D5542C82AB0C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000392171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000392170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00388feb) 13241300x8000000000000000392169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d90496-0x1e512d5d) 13241300x8000000000000000392168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9049e-0x8015955d) 13241300x8000000000000000392167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d904a6-0xe1d9fd5d) 13241300x8000000000000000392166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000392165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00388feb) 13241300x8000000000000000392164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d90496-0x1e512d5d) 13241300x8000000000000000392163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9049e-0x8015955d) 13241300x8000000000000000392162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-SetValue2022-11-30 09:31:19.393{E56ECBBF-146E-6387-0B00-000000009902}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d904a6-0xe1d9fd5d) 354300x8000000000000000392161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:15.957{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-225.us-east-2.compute.internal50434-false10.0.1.12-8000- 10341000x8000000000000000838614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:20.907{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3300-000000009802}2464C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:20.906{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-147F-6387-3000-000000009802}2944C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 354300x8000000000000000838612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:17.903{8A63456F-147F-6387-2E00-000000009802}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local62860- 23542300x8000000000000000838611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:20.362{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A29B7A30849BE6B19C6EF2A4575D43,SHA256=1EB58CB09F29568E11860A297D081E2CBFADE0365C333328DB8D05F78C2D5B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:21.446{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87ABAA1F9DAC775390499714D4A4B1BC,SHA256=D48DAB933832151C7BB8AC1AA3AB7C474D3545F975DDA4DCD1236305516216AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000838621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:21.443{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1F15-6387-E201-000000009802}2572C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:21.438{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-14F9-6387-8900-000000009802}2380C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:21.435{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1492-6387-7B00-000000009802}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:21.430{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:21.429{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4500-000000009802}3644C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:21.425{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1481-6387-4400-000000009802}3612C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 10341000x8000000000000000838615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:21.422{8A63456F-147F-6387-3100-000000009802}29523640C:\Program Files\Aurora-Agent\aurora-agent.exe{8A63456F-1480-6387-3800-000000009802}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019455150) 23542300x8000000000000000392173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:21.045{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F68D7B32D7758322223D666BB6FCBFD,SHA256=AF8D305D79B4BFE781BA49EE0BE0B7FBFF49B365F09D98D4545CEA80C2757913,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000838624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:20.600{8A63456F-148B-6387-7100-000000009802}4064C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-478.attackrange.local54030-false10.0.1.12-8000- 23542300x8000000000000000838623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:22.520{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C85E6DA3C9FAC7402909E4E2CDC686C,SHA256=424CCF4EDCF7410DA38CAA8CEE167A9C0B7BAD344C97E55162656BDD7C8F649A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:22.317{E56ECBBF-146F-6387-2100-000000009902}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DF3F859363A00277C034E498CE311FE5,SHA256=E46B9DF97AC9273DE98F1C344C380F414F0A3BA7CABE57FE2566191496A7888F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:22.129{E56ECBBF-1482-6387-6D00-000000009902}3236NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7BBB532F05FDEFC1D7320B1E679C4F,SHA256=E9220253CCCF382669AB466B039A1FDD135F4FCE23770056D324B216EF2AD13D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:23.859{8A63456F-147F-6387-2900-000000009802}2628NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0bcfe5abeb01bc3e6\channels\health\respondent-20221130082953-059MD5=683651717EC8DAC081C38E211BC7EBA2,SHA256=5740F9BFEDA541BBB683F557CBD7668BC17497F3A3A4C7CEA871290E93407AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000838625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-478.attackrange.local-2022-11-30 09:31:23.597{8A63456F-1492-6387-7B00-000000009802}3836NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=494DD48E3DFB2DC192313A457EC0FC74,SHA256=EC211C84F393CDB370F57C7B870F224640C0378B13C6BD65609D36B6DE67890B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000392205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.656{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-21D6-6387-3102-000000009902}3544C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.653{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-14EA-6387-8400-000000009902}1888C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.649{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1482-6387-6D00-000000009902}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.647{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-147B-6387-6200-000000009902}3884C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.646{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3D00-000000009902}1756C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.643{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1472-6387-3C00-000000009902}1948C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.641{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1471-6387-2B00-000000009902}2892C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.640{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2600-000000009902}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.637{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-1470-6387-2300-000000009902}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.631{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2100-000000009902}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.630{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-2000-000000009902}1116C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.619{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1F00-000000009902}2036C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.610{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1D00-000000009902}2012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.602{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1C00-000000009902}1876C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90) 10341000x8000000000000000392191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-225-2022-11-30 09:31:23.592{E56ECBBF-146F-6387-1E00-000000009902}20203592C:\Program Files\Aurora-Agent\aurora-agent.exe{E56ECBBF-146F-6387-1900-000000009902}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015846A90)